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OFFICE  OF  PERSONNEL 
MANAGEMENT 

[5  CFR  Parts  293  and  297] 

Personnel  Records  and  FHes; 
Protection  of  Privacy  In  Personnel 
Records  ' 

agency:  Office  of  Personnel 

Management. 

action:  Proposed  rule. 


summary:  The  purpose  of  this  document 
is  to  propose  rules  that  designate  Civil 
Service  Commission  regulations  at  5 
CFR  293  and  297  as  Office  of  Personnel 
Management  regulations  and  amend 
these  regulations  to  implement  both  the 
President's  Reorganization  Plan  No.  2, 
dated  May  23, 1978,  and  the  Privacy  Act 
of  1974,  5  U.S.C.  552a. 

COMMENT  DATES:  Interested  parties  may 
submit  written  comments  regarding 
these  regulations.  To  be  considered, 
comments  must  be  received  on  or  before 
July  30, 1979. 

ADDRESS:  Address  comments  to  the 
Deputy  Assistant  Director  for  Workforce 
Information,  Agency  Compliance  and 
Evaluation,  Office  of  Personnel 
Management,  1900  E  Street,  NW., 
Washington,  D.C.  20415.  Comments 
received  will  be  available  for  public 
inspection  at  the  above  address 
between  the  hours  of  9  a.m.  and  4  p.m., 
Monday  through  Friday. 

FOR  FURTHER  INFORMATION  CONTACT: 

Mr.  William  H.  Lynch.  Agency 
Compliance  and  Evaluation,  202/254- 
9778. 

SUPPLEMENTARY  INFORMATION:  Under 
the  President's  Reorganization  Plan  No. 

2  of  1978,  effective  January  1, 1979  (43 
FR  36037),  the  Office  of  Personnel 
Management  (OPM)  became 
operational.  On  the  same  date.  OPM 
assumed  responsibility  for  many  of  the 
personnel  policy  making  functions  the 
Civil  Service  Commission  performed  for 
the  Executive  Branch.  Included  among 
those  functions  is  the  responsibility  for 
issuing  regulations  concerning  those 
Personnel  Records  and  Files  maintained 
by  agencies  on  most  current  and  former 
Federal  employees  which  are  either  part 
of  OPM's  records  or  subject  to  control 
by  OPM.  Therefore,  it  is  necessary  to 
effect  changes  in  the  former 
Commission's  regulation  at  5  CFR  293 
that  designate  this  as  an  OPM  regulation 
and  that  implements  OPM's 
responsibilities  in  this  area. 

.  Additionally,  other  changes  were 
made  to  those  regulations  and  also  to 
the  Commission's  regulations  at  5  CFR 
297,  necessary  to  implement  the  Privacy 


Act  of  1974,  5  U.S.C.  552a.  Pursuant  to  5 
U.S.C.  552a(f),  OPM,  as  an  agency  that 
maintains  records  subject  to  the  Privacy 
Act.  must  publish  regulations 
implementing  that  Act.  Therefore,  it  is 
necessary  to  designate  Part  297  as  an 
OPM  regulation  and  to  effect  changes  to 
both  Parts  293  and  297  that  will  describe 
OPM's  regulations  impleqienting  the 
Act.  Some  Privacy  Act  requirements 
have  been  moved  from  Part  293  to  Part 
297  and  the  regulations  have  been  made 
more  detailed  so  that  covered 
individuals,  agencies,  and  the  general 
public  are  better  informed. 

The  former  Civil  Service  Commission 
published  its  rules  on  improving 
regulations  (required  by  Executive 
Order  12044)  at  43  FR  56253  et  seq.,  and, 
under  the  saving  provisions  of  section 
902  of  the  Civil  Service  Reform  Act.  Pub. 
L.  95-454,  the  Office  of  Personnel 
Management  (OPM)  remains  subject  to 
these  regulations  until  OPM  supersedes 
them.  Therefore,  in  compliance  with 
section  3b(4)  of  these  regulations,  the 
public  will  have  a  full  60*day  comment 
period. 

The  complete  revised  Parts  293  and 
297  follow. 

Office  of  Personnel  Management. 

Beverly  M.  Jones, 

Issuance  System  Manager. 

PART  293— PERSONNEL  RECORDS 

Subpart  A— Basic  Policies  on  Maintenance 
of  Personnel  Records 

Sec. 

293.101  Purpose  and  scope. 

293.102  Definitions. 

293.103  Recordkeeping  standards. 

293.104  Collection  of  information. 

293.105  Restrictions  on  collection  and  use  of 
information. 

293.106  Safeguarding  information  about 
individuals. 

293.107  Special  safeguards  for  automated 
records. 

293.108  Rules  of  conduct. 

Subpart  B— Personnel  Records  Subject  to 
the  Privacy  Act 

293.201  Purpose. 

293.202  Records  subject  to  Office  or  agency 
Privacy  Act  regulations. 

293.203  Review  of  Office  or  agency 
practices. 

Subpart  C— Official  Personnel  Folder 

293.301  Applicability  of  regulations. 

293.302  Establishment  of  official  personnel 
folder. 

293.303  Ownership  of  folder. 

293.304  Maintenance  and  content  of  folder. 

293.305  Type  of  folder  to  be  used. 

293.306  Use  of  existing  folders  upon  transfer 
or  reemployment. 

293.307  Disposition  of  folders  of  fomier 
Federal  employees. 


293.306  Removal  of  temporary  records  from 
folders. 

Authority:  5  U.S.C.  552a;  Executive  Order 
12107,  (December  28, 1978),  5  U.S.C.  1302.  3 
CFR  1954-1958  Compilation:  5  CFR  7.2; 
Executive  Order  9830,  3  CFR  1943-1948 
Compilation. 

Subpart  A— Basic  Policies  on 
Maintenance  of  Personnei  Records 

§  293.101  Purpose  and  scope. 

(a)  This  subpart  sets  forth  basic 
policies  governing  the  creation, 
development,  maintenance,  processing, 
use,  dissemination,  and  safeguarding  of 
personnel  records  which  the  Office  of 
Personnel  Management  requires 
agencies  to  maintain  in  the  personnel 
management  or  personnel  policy  setting 
process. 

(b)  Agencies  in  the  Executive  Branch 
of  the  Federal  Government  are  subject 
to  specific  Office  of  Personnel 
Management  recordkeeping 
requirements  to  varying  degrees, 
pursuant  to  statute.  Office  regulation,  or 
formal  agreements  between  the  Office 
and  agencies.  This  subpart  applies  to 
any  department  or  independent 
establishment  in  the  Executive  Branch 
of  the  Federal  Government,  including  a 
Government  corporation  or  Government 
controlled  corporation,  except  those 
specifically  excluded  from  Office 
recordkeeping  requirements  by  statute. 
Office  regulation,  or  formal  agreement 
between  the  Office  and  that  agency. 

§293.102  Definitions. 

In  this  part:  f  • 

“Agency”  means  any  executive  . 
department,  military  department. 
Government  corporation.  Government 
controlled  corporation,  or  other 
establishment  in  the  Executive  Branch 
of  the  Government  (including  the 
Executive  Office  of  the  President),  or 
any  independent  regulatory  agency; 

“Data  subject”  means  the  individual 
about  whom  the  Office  or  agency  is 
maintaining  information  in  a  system  of 
records; 

“Individual”  means  a  citizen  of  the 
United  States  or  an  alien  lawfully 
admitted  for  permanent  residence; 

“Information”  means  papers,  records, 
photographs,  magnetic  storage  media, 
micro  storage  media,  and  other 
documentary  materials,  regardless  of 
physical  form  or  characteristics, 
containing  data  about  an  individual  and 
required  by  the  Office  in  pursuance  of 
law  or  in  connection  with  the  discharge 
of  official  business,  as  defined  by 
statute,  regulation,  or  administrative 
procedure; 

“Maintain”  includes  collect,  use,  or 
disseminate; 
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“Office”  means  the  Office  of 
Personnel  Management; 

“Personnel  record”  means  any  record 
concerning  an  individual  which  is 
maintained  and  used  in  the  personnel 
management  or  personnel  policysetting 
process.  (For  purposes  of  this  part  this 
term  is  not  limited  just  to  those 
personnel  records  in  a  system  of  records 
and  subject  to  the  Privacy  Act); 

“Record”  means  any  item,  collection, 
or  grouping  of  information  about  an 
individual  that  is  maintained  by  an 
agency,  including,  but  not  limited  to,  his 
or  her  education,  financial  transactions, 
medical  history,  criminal  history,  or 
employment  history; 

“System  of  records”  means  a  group  of 
records  under  the  control  of  any  agency 
from  which  information  is  retrieved  by 
the  name  of  the  individual  or  by  some 
identifying  number,  symbol,  or  other 
identifying  particular  assigned  to  the 
individual. 

§  293.103  Recordkeeping  standards. 

(a)  The  head  of  each  agency  shall 
ensure  that  persons  having  access  to  or 
involved  in  the  creation,  development, 
processing,  use,  or  maintenance  of 
per;  mnei  records  are  informed  of 
pertinent  recordkeeping  regulations  and 
requirements  of  the  Office  of  Personnel 
Management  and  the  agency.  Authority 
to  maintain  personnel  records  does  not 
constitute  authority  to  maintain 
information  in  the  record  merely 
because  it  may  be  useful;  both 
Government-wide  and  internal  agency 
personnel  records  shall  contain  only 
information  concerning  an  individual 
that  is  relevant  and  necessary  to 
accomplish  the  Federal  personnel 
management  purposes  required  by 
statute.  Executive  order,  or  Office 
regulation. 

(b)  The  Office  is  responsible  for 
establishing  minimum  standards  of 
accuracy,  relevancy,  necessity, 
timeliness,  and  completeness  for 
personnel  records  it  requires  agencies  to 
maintain.  These  standards  are  discussed 
in  appropriate  chapters  of  the  Federal 
Personnel  Manual.  Before  approval  of 
any  agency  requests  for  changes  in 
recordkeeping  practices  governed  by  the 
Federal  Personnel  Manual,  the  Office 
will  examine  the  proposal  or  request  in 
the  context  of  such  standards  set  forth 
by  the  agency  in  support  of  the  proposal 
and  in  light  of  the  personnel  program 
area  that  requires  these  records. 

§  293.104  Collection  of  information. 

(a)  Any  information  in  personnel 
records,  whether  or  not  those  records 
are  in  a  system  of  records,  used  in 
whole  or  in  part  in  making  a 


determination  about  an  individual’s 
rights,  benefits,  or  privileges  under 
Federal  personnel  programs  should, 
where  feasible,  be  collected  directly 
from  the  individual  oonoemed.  Factors 
to  be  oonsiderad  in  determining  whether 
to  collect  the  data  hx)m  the  individual 
concerned  or  a  third  party  are  when: 

(1)  The  nature  of  the  information  is 
such  that  it  can  only  be  obtained  from 
another  party; 

(2)  The  cost  of  collecting  the 
information  directly  from  the  individual 
is  unreasonable  when  compared  with 
the  cost  of  collecting  it  from  another 
party; 

(3)  There  is  virtually  no  risk  that 
information  collected  from  other  parties, 
if  inaccurate,  could  result  in  a 
determination  adverse  to  the  individual 
concerned; 

(4)  The  information  supplied  by  an 
individual  must  be  verified  by  another 
party;  or 

(5)  There  are  provisions  made,  where 
feasible,  to  verify  information  collected 
from  another  party  with  the  individual 
concerned. 

§  293.105  Restrictions  on  collection  and 
use  of  information. 

(a)  First  Amendment.  Personnel 
records  describing  how  individuals 
exercise  rights  guaranteed  by  the  First 
Amendment  are  prohibited  unless 
expressly  authorized  by  statute,  or  by 
the  individual  concerned,  or  unless 
pertinent  to  and  within  the  scope  of  an 
authorized  law  enforcement  activity. 
These  rights  include,  but  are  not  limited 
to,  free  exercise  of  religious  and  political 
beliefs,  freedom  of  speech  and  the  press, 
and  freedom  to  assemble  and  to  petition 
the  government. 

(b)  Social  Security  Number.  . 

(1)  Agencies  may  not  require 

individuals  to  disclose  their  Social 
Security  Number  unless  disclosure 
would  be  required: 

(1)  Under  Federal  statute;  or 

(ii)  Under  any  statute.  Executive 
order,  or  regulation  that  authorizes  any 
Federal,  State,  or  local  agency 
maintaining  a  system  of  records  that 
was  in  existence  and  operating  prior  to 
January  1, 1975,  to  request  the  Social 
Security  Number  as  a  necessary  means 
of  verifying  the  identity  of  an  individual. 

(2)  Individuals  asked  *o  voluntarily 
provide  their  Social  Sec  irity  Number 
shall  suffer  no  penalty  or  denial  of 
benehts  for  refusing  to  provide  it. 

§  293.106  Safeguarding  information  about 
individuals. 

(a)  To  ensure  the  security  and 
confidentiality  of  personnel  records,  in 
whatever  form,  each  agency  shall 


establish  administrative,  teohnioel,  and 
physical  controls  to  protect  information 
in  personnel  reoords  from  onauthorized 
acoess,  use,  modification,  destruction,  or 
disclosure.  As  a  minimum,  these 
controls  shall  require  that  all  persons 
whose  official  duties  require  access  to 
and  use  of  personnel  records  be 
responsible  and  accountable  for 
safeguarding  those  records  and  for 
ensuring  that  the  records  are  secured 
whenever  they  are  not  in  use  or  under 
the  direct  control  of  authorized  persons. 
Generally,  personnel  records  should  be 
held,  processed,  or  stored  only  where 
facilities  and  conditions  are  adequate  to 
prevent  unauthorized  access. 

(b)  Personnel  records  must  be  stored 
in  metal  filing  cabinets  which  are  locked 
when  the  records  are  not  in  use,  or  in  a 
secured  room.  Alternative  storage 
facilities  may  be  employed  provided 
they  furnish  an  equivalent  or  greater 
degree  of  security  than  these  methods. 
Except  for  access  by  the  data  subject, 
only  employees  whose  official  duties 
require  access  shall  be  allowed  to 
handle  and  use  personnel  records,  in 
whatever  form  or  media  the  records 
might  appear.  To  the  extent  feasible, 
entry  into  personnel  record  storage 
areas  shall  be  similarly  limited. 
Documentation  of  the  removal  of 
records  from  storage  areas  must  be  kept 
so  that  adequate  control  procedures  can 
be  established  to  assure  that  removed 
records  are  returned  on  a  timely  basis. 

(c)  Disposal  and  destruction  of 
personnel  records  shall  be  in 
accordance  with  the  General  Record 
Schedule  issued  by  the  General  Services 
Administration  for  the  records  or, 
alternatively,  with  Office  or  agency 
records  control  schedules  approved  by 
the  National  Archives  and  Records 
Service  of  the  General  Services 
Administration. 

S  293.107  Special  safeguards  for 
automated  records. 

(a)  In  addition  to  following  the 
security  requirements  of  §  293.106  of  this 
part,  managers  of  automated  personnel 
records  shall  establish  administrative, 
technical,  physical,  and  security 
safeguards  for  data  about  individuals  in 
automated  records,  including  input  and 
output  documents,  reports,  punched 
cards,  magnetic  tapes,  disks,  and  on-line 
computer  storage.  The  safeguards  must 
be  in  writing  to  comply  with  the 
standards  on  automated  data  processing 
physical  security  issued  by  the  National 
Bureau  of  Standards,  U.S.  Department  of 
Commerce,  and,  as  a  minimum,  must  be 
sufficient  to: 

(1)  Prevent  careless,  accidental,  or 
unintentional  disclosure,  modification. 


Federal  Register  /  Vol.  44.  No.  104  /  Tuesday.  May  29,  1979  /  Proposed  Rules 


or  destruction  of  identifiable  personal 
data: 

(2)  Minimize  the  risk  that  skilled 
technicians  or  knowledgeable  persons 
could  improperly  obtain  access  to, 
modify,  or  destroy  identifiable  personnel 
data: 

(3)  Prevent  casual  entry  by  unskilled 
persons  who  have  no  official  reason  for 
access  to  such  data: 

(4)  Minimize  the  risk  of  an 
unauthorized  disclosure  where  use  is 
made  of  identifiable  personal  data  in 
testing  of  computer  programs; 

(5)  Control  ^e  flow  of  data  into, 
through,  and  from  agency  computer 
operations: 

(6)  Adequately  protect  identifiable 
data  from  environmental  hazards  and 
unnecessary  exposure:  and 

(7)  Assure  adequate  internal  audit 
procedures  to  comply  with  these 
procedures. 

(b)  The  disposal  of  identifiable 
personal  data  in  automated  files  is  to  be 
accomplished  in  such  a  maimer  as  to 
make  the  data  unobtainable  to 
unauthorized  personnel.  Unneeded 
personal  data  stored  on  reusable  media 
such  as  magnetic  tapes  and  disks  must 
be  erased  prior  to  release  of  the  media 
for  reuse. 

§  293.108  Rules  of  conduct 

(a)  Scope.  These  rules  of  conduct 
apply  to  all  O^ice  and  agency 
employees  responsible  for  creation, 
development,  maintenance,  processing, 
use.  dissemination,  and  safeguarding  of 
personnel  records.  The  Office  and 
agencies  shall  require  that  such 
employees  are  familiar  with  these  and 
appropriate  supplemental  agency 
internal  regulations. 

(b)  Standards  of  Conduct.  Office  and 
agency  employees  whose  official  duties 
involve  personnel  records  shall  be 
sensitive  to  individual  rights  to  personal 
privacy  and  shall  not  disclose 
information  from  any  personnel  record 
unless  disclosure  is  part  of  their  official 
duties  or  required  by  executive  order, 
regulation,  or  statute  (e  g.,  required  by 
the  Freedom  of  Information  Act.  5  U.S.C. 
552). 

(c)  Improper  uses  of  personnel 
information.  Any  Office  or  agency 
employee  who  makes  a  disclosure  of 
personnel  records  knowing  that  such 
disclosure  is  unauthorized,  or  otherwise 
knowingly  violates  these  regulations, 
shall  be  subject  to  disciplinary  action 
and  may  also  be  subject  to  criminal 
penalties  where  the  records  are  subject 
to  the  Privacy  Act  (5  U.S.C.  552a). 
Employees  are  prohibited  from  using 
personnel  information  not  available  to 
the  public,  gained  through  official  duties. 


for  commercial  solicitation  or  sale,  or  for 
personal  gain. 

Subpart  B — Personnel  Records 
Subject  to  the  Privacy  Act 

§  293.201  Purpose. 

The  purpose  of  this  subpart  is  to  set 
forth  the  criteria  to  be  used  to  determine 
when  personnel  records  on  individuals 
are  subject  both  to  the  regulations 
contained  in  this  part  and  to  Office  or 
agency  regulations  implementing  the 
Privacy  Act  of  1974,  5  U.S.C.  552a.  When 
personnel  records  are  maintained  within 
a  system  of  records,  the  records  are 
deemed  to  be  within  the  scope  of  both 
the  regulations  in  this  part  and  Office  or 
agency  regulations  implementing  the 
Privacy  Act. 

§  293.202  Records  subject  to  Office  or 
agency  Privacy  Act  regulations. 

When  the  Office  of  Personnel 
Management  publishes  in  the  Federal 
Register  a  notice  of  system  of  records 
for  personnel  records  which  are 
maintained  by  the  agencies  or  by  the 
Office,  that  system  of  records  will  be 
subject  to  the  regulations  in  this  part 
and  also  to  the  regulations  in  part  297  of 
this  chapter.  When  agencies  publish  a 
notice  of  system  of  records  for  personnel 
records  required  by  the  Office  that  are 
not  included  in  the  Office's  notices, 
those  agency  systems  of  records  will  be 
subject  both  to  the  regulations  contained 
in  this  part  and  to  agency  promulgated 
regulations  that  implement  the  Privacy 
Act. 

§  293.203  Review  Of  Office  or  agency 
practices. 

Reviews  of  agency  personnel 
management  policies  and  practices  will 
be  conducted  to  insure  compliance  with 
Office  regulations.  The  Office  may 
direct  agencies  to  take  whatever 
corrective  action  is  necessary.  Office  or 
agency  officials  who  have  knowledge  of 
violations  of  these  regulations  shall  take 
whatever  corrective  action  is  necessary. 
Agencies  shall  list  officials  of  the  Office 
of  Personnel  Management  as  a  routine 
user  for  personnel  records  to  assist  the 
Office  in  its  oversight  responsibilities. 

Subpart  C— Official  Personnel  Folder 

§  293.301  Applicability  of  regulations. 

This  subpart  applies  to.  and  within 
this  subpart  “agency"  means,  except 
those  specifically  excluded  from  Office 
recordkeeping  requirements  by  statute. 
Office  regulation,  or  formal  agreement 
between  the  Office  and  the  agency,  each 
executive  department  and  independent ' 
establishment  of  the  Federal 
Government,  each  corporation  wholly 


owned  or  controlled  by  the  United 
States,  and  with  respect  to  positions 
subject  to  civil  service  rules  and 
regulations,  the  legislative  and  judicial 
branches  of  the  Federal  Government 
and  the  District  of  Columbia 
Government, 

§  293.302  Establishment  of  Official 
Personnel  Folder. 

Each  agency  shall  establish  an 
Official  Personnel  Folder  for  each 
employee  occupying  a  position  subject 
to  this  part  except  as  provided  in 
section  293.306.  Generally,  there  will  be 
only  one  Official  Personnel  Folder 
maintained  for  each  employee. 

§  293.303  Ownership  of  folder. 

The  Official  Personnel  Folder  of  each 
employee  in  a  position  subject  to  civil 
service  rules  and  regulations  is  under 
the  jurisdiction  and  control  of,  and  is 
part  of  the  records  of,  the  Office  of 
Personnel  Management 

§  293.304 '  Maintenance  and  content  of 
folder. 

The  head  of  each  agency  shall 
maintain  in  the  Official  Personnel  Folder 
the  reports  of  selection  and  other 
personnel  actions  named  in  section  2951 
of  title  5,  United  States  Code.  The  folder 
shall  also  contain  permanent  records 
affecting  the  employee's  status  and 
service  as  required  by  the  Office's 
instructions  and  as  designated  in  FPM 
Supplement  293-31. 

§  293.305  Type  of  folder  to  be  used. 

Each  agency  shall  use  only  Official 
Personnel  Folders  from  Federal  Supply 
Service  contracts  or  stock  for  the  folders 
required  by  this  part 

§  293.306  Use  of  existing  folders  upon 
transfer  or  reemployment 

When  an  agency  hires  a  person  who 
has  served  on  or  after  April  1. 1947,  in  a 
position  subject  to  this  part  it  shall 
request  the  transfer  of  the  Official 
Personnel  Folder  pertaining  to  the 
person's  employment  The  folder  so 
obtained  shall  be  used  in  lieu  of 
establishing  a  new  Official  Personnel 
Folder. 

(a)  When  a  person  for  whom  an 
Official  Personnel  Folder  has  been 
established  transfers  from  one  agency  to 
another,  the  last  employing  (losing) 
agency  shall,  on  request  transfer  the 
folder  to  the  new  employing  agency. 

(b)  Before  transferring  the  Official 
Personnel  Folder,  the  losing  agency 
shall: 

(1)  Remove  those  records  of  a 
temporary  nature  filed  on  the  left  side  of 
the  folder,  and 


Federal  Register  /  Vol.  44,  No.  104  /  Tuesday,  May  29,  1979  /  Proposed  Rules 


30823 


(2)  Insure  that  all  permanent 
documents  of  the  folder  are  complete, 
correct,  and  present  in  the  folder  in 
accordance  with  FPM  Supplement  293- 
31. 

§  293.307  Disposition  of  folders  of  former 
Federal  employees. 

(a)  Folders  of  persons  separated  from 
employment  must  be  retained  by  the 
losing  agency  for  thirty  days  after 
separation,  and  may  be  retained  for  an 
additional  sixty  days.  Thereafter,  the 
folder  should  be  transferred  to  the 
General  Services  Administration, 
National  Personnel  Records  Center 
(Civilian),  111  Winnebago  Street,  St. 
Louis,  Missouri  63118. 

(b)  When  a  former  Federal  employee 
is  reappointed  in  the  Federal  service,  the 
National  Personnel  Records  Center 
(Civilian)  shall,  upon  request,  transfer 
the  folder  to  the  new  employing  agency. 

§  293.308  Removal  of  temporary  records 
from  folders. 

The  employing  agency  having 
possession  of  an  Official  Personnel 
Folder  shall  remove  temporary  records 
from  the  folder  before  it  is  transferred  to 
another  agency  in  accordance  with 
General  Schedule  1  promulgated  by  the 
General  Services  Administration. 

PART  297->PROTECTION  OF  PRIVACY 
AND  PERSONNEL  RECORDS 

Subpart  A— General  Provisions 

297.101  Purpose  and  scope. 

297.102  Definitions. 

297.103  Designations  of  authority  by  system 
manager. 

Subpart  B— Individual  Rights  Regarding 
Access,  Amendment,  and  Disclosure 

297.201  Identification  requirements  for 
specific  inquiries  and  requests  for  access. 

297.202  Inquiries. 

297.203  Request  for  access  to  personnel 
records. 

297.204  Methods  of  access. 

297.205  Denials  of  access  requests. 

297.206  Request  for  administrative  review  of 
denial  of  access. 

297.207  Judicial  review. 

297.208  Request  for  amendment  of  records. 

297.209  Response  to  request  for  amendment 
of  records. 

297.210  Request  for  administrative  review  of 
denial  of  an  amendment. 

297.211  Judicial  review. 

297.212  Fees. 

297.213  Disclosures  generally  prohibited. 

297.214  Request  for  accounting  of 
disclosures. 

Subpart  C— 'Agency  Responslbilitiee  for 
Processing  Privacy  Act  Requests 

297.301  Responsibilities. 

297.302  Verification  of  identity  of  requester. 

297.303  Response  to  access  requests. 


297.304  Exempt  records. 

297.305  Response  to  request  for 
administrative  review  of  denial  of 
access. 

297.306  Request  for  correction/amendment. 

297.307  Basis  for  denials  of  request  for 
amendments. 

297.308  Response  to  request  for 
administrative  review  of  denial  of 
request  for  amendment. 

Subpart  D — Requirements  for 
Recordkeeping  Under  the  Privacy  Act 

Sec. 

297.401  Responsibility  for  systems  of 
records. 

297.402  Responsibility  for  litigation 
concerning  the  regulations. 

297.403  Publication  of  annual  notices. 

297.404  Reports  on  .changes  to  systems  of 
records. 

297.405  Penalties. 

297.406  Changing  or  adding  routine  uses. 

297.407  Providing  Privacy  Act  Statements. 

297.408  Annual  reports. 

297.409  Annual  notice  to  employees. 

Subpart  E— Disclosures  From  Systems  of 
Records 

297.501  Restrictions  on  disclosure  of  a 
deceased  data  subject's  record. 

297.502  General  written  consent 
requirement. 

297.503  Disclosures  permitted  without  prior 
written  consent  of  the  data  subject. 

297.504  Disclosure  pursuant  to  compulsory 
legal  process. 

297.505  Disclosure  pursuant  to  a  subpoena. 

297.506  Accounting  of  disclosure. 

297.507  Penalties. 

Authority:  Sec.  3.  Pub.  L.  93-579.  88  Stat. 
1896  (5  U.S.C.  552a). 

Subpart  A— General  Provisions 

§  297.101  Purpose  and  scope. 

(a)  These  regulations  implement  the 
provisions  of  Pub.  L.  93-579,  the  Privacy 
Act  of  1974  (5  U,S.C.  552a).  The  _ 
regulations  govern  the  types  of  systems 
of  personnel  records  listed  below  and 
which  are  more  thoroughly  identified  in 
the  annual  publication  of  the  Office’s 
notices  of  systems  of  records. 

(1)  Internal  systems  of  personnel 
records  established  and  maintained  by 
the  Office  of  Personnel  Management 
(OPM)  solely  on  its  own  employees  and 
which  are  under  its  physical  control. 

(2)  Centralized  systems  of  persoimel 
records  physically  established  and 
maintained  by  the  Office  of  Personnel 
Management  on  most  current  and 
former  Federal  employees  and  some 
applicants  for  Federal  employment. 

(3)  Government-wide  systems  of 
personnel  records  that  are  maintained  . 
by  agencies  on  their  employees  or  on 
applicants  for  employment  for  the  Office 
of  Personnel  Management  and  which 
are  in  the  physical  custody  of  agencies. 
’Though  such  records  are  in  the  physical 


custody  of  agencies,  the  Office  of 
Personnel  Management  has  retained 
authority  under  ^e  Privacy  Act  to  make 
reviews  of  initial  agency  determinations 
regarding  access  to  and  amendment  of 
records  in  these  systems, 

(b)  For  the  purposes  of  this  part,  the 
term  “agency”  applies  to  any 
department  or  independent 
establishment  in  the  Executive  Branch 
of  the  Federal  Government,  including  a 
Government  corporation  or  Government 
controlled  corporation,  except  those 
specifically  excluded  from  Office  of 
Personnel  Management  recordkeeping 
requirements  by  statute,  Office  of 
Personnel  Management  regulation,  or 
formal  agreement  between  the  Office  of 
Personnel  Management  and  that  agency. 

$  297.102  Definitions. 

For  the  purpose  of  this  part,  the  terms 
used  herein  have  the  same  meanings  as 
defined  in  the  Privacy  Act  5  U.S.C.  552a. 
In  addition: 

"Access”  means  providing  a  copy  of  a 
record  to,  or  allowing  review  of  the 
original  record  by  the  data  subject  or  the 
data  subject’s  authorized  representative, 
parent,  or  legal  guardian; 

“Act”  means  the  Privacy  Act  of  1974. 
Pub.  L.  93-579,  5  U.S.C.  552a: 

“Amendment”  includes  correction, 
addition,  deletion,  or  destruction  of  the 
record  or  specific  portions 
thereof;l“Annual  Report”  means  that 
report  required  to  be  submitted  by  each 
Federal  agency  to  the  Office  of 
Management  and  Budget  by  April  30th 
of  each  year  identifying  its  activities 
under  the  Privacy  Act  for  the  preceding 
calendar  year, 

“Data  subject”  means  the  individual 
to  whom  the  information  pertains  and 
by  whose  name  or  other  individual 
identiHer  the  information  is  retrieved; 

“Disclosure”  means  providing  pesonai 
review  of  a  record,  or  a  copy  thereof  to 
someone  other  than  the  data  subject,  the 
data  subject’s  authorized  representative, 
parent,  or  legal  guardian; 

“Notice  of  system  of  records”  means 
the  notice,  published  in  the  Federal 
Register,  of  the  existence  and  character 
of  every  system  of  record,  hereinafter 
referred  to  as  system  notice; 

“Office”  means  the  Office  of 
Personnel  Management; 

“Personnel  record”  means  any  record 
concerning  an  individual  which  is 
maintained  and  used  in  the  personnel 
management  or  personnel  policy-making 
process;  and 

“System  Manager”  means  the  agency 
official,  designated  by  the  head  of  the 
agency,  who  has  the  authority  to  decide 
Pdvacy  Act  matters  relative  to  each 
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system  of  records  maintained  by 
agency. 

§  297.103  Delegations  of  authority  by 
system  manager. 

The  responsible  Office  or  agency 
system  manager  having  jurisdiction  over 
a  system  of  records  may  designate  in 
writing  an  agency  employee  either  at  the 
agency's  headquarters  or  field  office  to 
evaluate  and  issue  the  agency  decision 
on  Privacy  Act  matters  relating  to  the 
system  of  records.  The  designee  should 
have  ready  access  to  the  record 
involved,  and  be  knowledgeable  in  all 
matters  concerning  what  comprises  the 
system  of  records  and  the  basis  for 
deciding  Privacy  Act  issues. 

Subpart  B — Individual  Rights 
Regarding  Access,  Amendment,  and 
Disclosure 

§  297J201  Identification  requirements  for 
specific  inquiries  and  requests  for  access. 

(a)  Unless  the  information  sought  is 
required  to  be  released  under  the 
Freedom  of  Information  Act  or  other 
statute,  the  Office  or  agency  shall 
require  proof  of  identity  from  a 
requester,  and  reserves  the  right  to 
determine  the  adequacy  of  any  such 
proof  of  identity  before  responding  to  a 
specific  inquiry  or  request  for  access  to 
a  record  in  a  system  of  records.  The 
general  identifying  information  items  to 
be  supplied  before  a  specific  inquiry  or 
request  for  access  can  be  answered,  are: 

(1)  Full  name,  signature,  and  home 
address; 

(2)  Date  and  place  of  birth; 

(3)  The  current  or  last  place  and  dates 
of  Federal  employment,  if  appropriate; 
and 

(4)  Social  Security  Number  (for 
systems  of  records  retrieved  by  this 
identifier). 

(b)  A  request/inquiry  from  someone 
other  than  the  data  subject  shall  contain 
copies  of  any  documents  that  establish 
the  relationship  or  authorize  access  as 
follows*. 

(1)  Where  the  requester  is  the  parent 
or  legal  guardian  of  a  data  subject  who 
is  a  minor  (generally,  a  data  subject 
under  eighteen  years  of  age,  but  local 
law  would  control),  the  requester  shall 
identify  the  relationship  with  the  data 
subject  and  furnish  a  certified  or 
authenticated  (e.g.  notarized)  copy  of 
any  document  establishing  parentage  or 
appointment  as  legal  guai^ian; 

(2)  Where  the  requester  is  the  legal 
guardian  of  a  data  subject  who  has  been 
declared  incompetent  by  the  courts,  the 
requester  shall  identify  the  relationship 
with  the  data  subject  and  furnish  a 
certified  or  authenticated  copy  of  the 
court's  appointment  of  guardianship; 


(3)  Where  the  requester  is  a 
representative  of  the  data  subject,  the 
requester  shall  identify  the  relationship 
with  the  data  subject  or  the  data 
subject's  parent  or  legal  guardian,  and 
furnish  documentation  designating  the 
representative  as  having  the  authority  to 
act  on  behalf  of  the  data  subject. 

(c)  The  methods  by  which  a  requester, 
who  makes  a  request  in  person,  proves 
his  or  her  identity  are: 

(1)  When  a  request  is  from  the  data 
subject,  the  means  of  proof,  in  order  of 
preference,  are: 

(1)  A  document  bearing  the 
individual's  photograph  and  signature 
(for  example,  driver's  license,  passport, 
or  military  or  civilian  identification 
card);  or 

(ii)  Two  documents  bearing  the 
individual's  signature  (for  example, 
medicare  card,  unemployment  insurance 
book,  employer  identification  card, 
national  credit  card,  professional,  craft, 
or  union  membership  card); 

(2) When  a  request  is  made  by  the 
parent,  legal  guardian,  or  authorized 
representative  of  the  data  subject,  the 
means  of  identifying  the  requester  and 
his  or  her  authority  for  acting  on  behalf 
of  the  data  subject,  shall  be  as 
prescribed  in  paragraphs  (b)  and  (c)  of 
this  section.  In  addition,  the  requester 
shall  establish  the  identity  of  the  data 
subject  in  the  manner  prescribed  in 
paragraph  (a)  of  this  section. 

(d)  When  a  written  inquiry  or  request 
is  received  from  the  data  subject,  or 
from  the  data  subject's  parent,  legal 
guardian,  or  authorized  representative, 
it  should  be  signed  and: 

(1)  For  an  inquiry,  contain  sufficient 
identifying  information  about  the  data 
subject  to  permit  searching  of  the  record 
system(s)  and  to  permit  response;  and 

(2)  For  a  request: 

(i)  from  the  data  subject,  contain 
suMcient  information  to  locate  the 
record  and  establish  that  the  requester 
and  the  data  subject  are  the  same  (e.g. 
matching  signatures):  or 

(ii)  from  the  data  subject's  parent, 
legal  guardian,  or  authorized 
representative,  contain  sufficient 
information  to  locate  the  record,  match 
identity  with  the  data  subject,  and  such 
documentation  of  association  or 
authorization  as  is  prescribed  in 
paragraph  (b)  of  this  section. 

(e)  The  signed  request  fiom  the  data 
subject,  or  ^m  the  data  subject's 
parent,  legal  guardian,  or  au^orized 
representative  specified  in  (d)  above 
shall  be  sufficient  proof  of  identity  of  the 
requester,  unless  for  good  cause  the 
system  manager  or  designee  determines 
that  there  is  a  need  to  require  some 


notarized  or  certified  evidence  of  the 
identity  of  the  requester. 

(f)  The  system  manager  or  designee 
may  modify  the  type  of  proof  of  identity 
required  and  the  method  by  which  it  is 
provided,  on  a  case-by-case  basis  and 
within  the  limits  prescribed  in  (a),  (b). 
and  (c)  of  this  section. 

(g)  In  compliance  with  5  U.S.C. 
552a(e)(3).  each  requester  that  is  asked 
to  supply  the  information,  orally  or  in 
writing,  in  accordance  with  this  section 
shall  be  furnished  the  following 
information: 

(1)  5  U-S.C.  552a  authorizes 
solicitation  of  the  information, 
disclosure  is  voluntary,  and  no  penalty 
is  attached  for  failure  to  provide  the 
information; 

(2)  This  information  will  be  used  to 
process  the  inquiry  or  request  under  the 
Act  and  for  any  other  actions  that  may 
arise  under  the  Act  regarding  the 
specific  inquiry  or  request;  and 

(3)  The  effects  of  not  providing  all  or 
any  part  of  the  information  may  be  to 
render  impossible  or  to  delay  the 
Office's  or  the  agency's  processing  of 
and  action  on  the  inquiry /request. 

(h)  When  provisions  of  this  section 
are  alleged  to  have  the  effect  of 
impeding  an  individual  in  exercising 
rights  of  access,  the  Office  or  the  agency 
will  consider  from  the  individual  making 
the  request,  alternative  suggestions 
regarding  proof  of  identity  and  authority 
for  access  to  records. 

§  297.202  Inquiries. 

(a)  General.  Inquiries  about  the  Act  or 
this  part  may  be  made  in  person  or  by 
mail  at  any  OPM  or  agency  office.  A  list 
of  OPM  offices  is  included  in  the 
appendix  to  the  notice  of  OPM  systems 
of  records  published  annually  in  the 
Federal  Register.  A  general  inquiry  * 
would  be  a  request  for  assistance  in 
identifying  which  systems  of  records 
may  contain  a  record  about  the 
individual.  A  requester  is  not  required  to 
submit  identifying  information  in 
support  of  this  type  of  inquiry. 

(b)  Specific.  An  inquiry  that  request 
OPM  or  any  agency  to  determine  if  it 
has,  in  a  given  system  of  records,  a 
record  about  the  inquirer*  should  be 
addressed  to  the  official  identified  in  the 

*  Notification  procedures  paragraph  of  the 
Federal  Register  notice  for  the  system. 
Inquirers  should  specify  the  nqme  of  the 
system  of  records,  if  known,  as 
published  in  the  Federal  Re^ster  and 
inquiries  submitted  by  mail  should 
contain  the  words  “Privacy  Act  Inquiry" 
on  the  face  of  the  envelope  and  the 
letter.  Such  inquiries  should  contain  the 
identifying  data  prescribed  in  §  297.201 
of  this  subpart  before  a  search  can  be  , 
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made  of  that  particular  system  of 
records. 

§  297.203  Requests  for  access  to 
personnel  records. 

(a)  A  data  subject  shall  be  granted 
access  to  the  data  subject’s  own  records 
upon  request,  except  where  denial  is 
authoriz^  under  $  297.205(b)  of  this 
subpart.  To  request  access,  the 
individual  should  contact  the 
appropriate  system  managers  (or 
designees)  in^cated  in  the  OPM’s 
notices  of  system  of  records  published 
in  the  Federal  Register.  Requests  may  be 
made  in  person  or  by  mail.  Requests 
should  specify  the  name  of  the  system  of 
records,  if  known,  as  published  in  the 
Federal  Register.  Requests  submitted  by 
mail  should  contain  the  words  ’’Privacy 
Act  Request”  on  the  face  of  the  envelope 
and  the  tetter.  All  individuals  requesting 
access  to  records  must  meet  the 
identiHcation  requirements  set  forth  in 
section  297.201  of  this  subpart  Agencies 
may  provide  forms  to  facilitate  the 
servicing  of  requests  under  the  Act. 

(b)  When  an  individual  cites  the 
Freedom  of  Information  Act  (5  U.S.C. 

552)  ro  request  records  about  himself  or 
herself  which  are  contained  in  a  Privacy 
Act  system  of  records,  the  request  will 
be  processed  under  the  Privacy  Act. 
However,  no  Privacy  Act  exemption  will 
be  cited  to  deny  access  to  a  record 
which  would  otherwise  be  available 
under  the  Freedom  of  Information  Act. 

§  297.204  Methods  of  access. 

(a)  The  following  are  the  methods  for 
allowing  access  to  records  when  such 
access  has  been  granted  by  a  system 
manager  or  designee: 

(1)  Inspection  in  person  may  be  made 
in  the  office  designated  in  the  system 
notice  during  the  hours  specified  by  the 
OPM  or  the  agency;  or 

(2)  Records  may  be  transferred,  at  the 
determination  of  the  agency  or  OPM,  to 
an  agency  or  OPM  office  or  other 
Federal  facility  more  convenient  to  the 
data  subject  for  review;  or 

(3)  Ceneraly,  agency  and  OPM  offices 
will  not  furnish  certiHed  copies  of 
records.  Where  copies  of  records  are  to 
be  funished,  they  may  be  mailed  at  the 
request  of  the  data  subject  or,  as 
determined  by  the  agency  or  OPM.  only 
after  payment  of  any  fee  levied  in 
accordance  with  S  297.212  of  this 
subpart  is  received. 

(b)  The  Office  or  agency  reserves  the 
right  to  limit  access  to  original  records 
by  furnishing  copies.  In  no  event  shall 
original  records  be  made  available  to  an 
individual  except  in  the  presence  of  the 
system  manager  or  designee.  Title  18 
U.S.C..  section  2701(a)  makes  it  a  crime 


to  conceal,  mutilate,  obliterate,  or 
destroy  any  record  filed  in  a  public 
office,  or  attempt  to  do  any  of  the  ■ 
foregoing. 

(c)  Special  procedures  may  be  applied 
when  processing  requests  for. 

(1)  Medical  records  where  the  records 
contain  information  about  medical 
conditions  of  such  a  nature  that  a 
prudent  physician  woiild  hesitate  to 
inform  a  person  suffering  from  those 
conditions  of  their  exact  nature  or 
probable  outcome.  If  the  procedures  are 
to  be  applied,  it  shall  be  required  that 
the  information  sought  be  released  only 
to  a  licensed  physician  designated  in 
writing  for  that  purpose  by  the  data 
subject  or  the  data  subject’s  authorized 
representative,  parent,  or  legal  guardian; 

(2)  Examination  and  related  material 
shall  be  disclosed  only  under 
circumstances  that  maintain  the 
integrity  of  the  Office’s  competitive 
testing  program.  *1110  test  papers  of  a 
competitor  may  be  released  to  the 
competitor  only  during  the  examination, 
except  that  upon  request  the 
competitor’s  answer  sheet  may  be 
reviewed  by  the  competitor  in  the  office 
where  the  examination  was  given,  in  the 
presence  of  an  OPM  employee.  A  copy 
of  the  answer  sheet  will  not  be  made 
available  to  a  competitor. 

(d)  During  access,  the  OPM  or  agency 
official  shall  supply  necessary 
information  and  assistance  to  the  data 
subject.  'The  OPM  or  agency  officical 
shall  furnish  copies  of  any  releasable 
information  for  which  the  data  subject 
requests  copies  (in  accordance  with 

§  297.212)  and  shall  supply  information 
and  assistance  to  make  the  record(sl 
intelligible. 

(e)  The  data  subject,  or  the  data 
subject’s  parent,  legal  guardian,  or 
authorized  representative  may  be 
accompanied  by  someone  of  his  or  her 
choice  during  personal  access  and  shall 
authorize  the  presence  of  the 
accompanying  individual  in  a  signed 
and  dated  statement  containing  the 
name  of  the  accompanying  individual 
and  a  specific  description  of  the  record 
to  which  access  is  sought.  Neither  the 
data  subject  nor  his  or  her 
representative  shall  be  required  to 

.  justify  the  decision  to  be  accompanied 
during  access  to  a  record.  Access  in  this 
instance  includes  discussion  of  the 
record  in  the  presence  of  the 
accompanying  individual. 

§  297.205  Denials  of  access  requests. 

(a)  If  an  access  request  is  denied,  the 
system  manager  or  designee  shall  give 
the  requester  the  following  information: 


(1)  The  system  manager’s  or 
designee’s  name,  position  title,  and 
business  mailing  address; 

(2)  The  date  of  the  denial: 

(3)  The  reasons  for  the  denial, 
including  citation  of  appropriate 
sections  of  the  Act  and  this  part;  and 

(4)  The  individual’s  opportunities  for 
further  administrative  consideration, 
including  the  name,  position  title,  and 
address  of  the  OPM  official  responsible 
for  the  review  as  stated  in  §  297.206. 

(b)  Denial  of  a  request  for  access  to 
records  will  be  made  only  by  the  system 
manager  or  designee  and  only  upon  a 
determination  that; 

(1)  The  record  is  subject  to  an 
exemption  under  §  297.304  of  subpart  C 
of  this  part  when  the  system  manager 
has  elected  to  invoke  the  exemption; 

(2)  The  record  is  information  compiled 
in  reasonable  anticipation  of  a  civil 
action  or  proceeding;  or 

(3)  'The  data  subject  refuses  to  abide 
by  special  procedures  for  access  to 
records  enumerated  in  S  297.204(c). 

§  297.206  Request  for  administrative 
review  of  denial  of  access. 

(a)  For  denials  of  access  made  under 
§  297.205(b)  of  this  subpart,  the 
following  procedures  apply: 

(1)  For  denials  made  by  the  agency.  ■ 
when  the  record  is  maintained  in  one  of 
the  Office’s  Government-wide  systems 
of  records  where  the  notice  for  that 
system  has  delegated  to  the  agencies  the 
authority  to  make  initial  decisions  to 
grant  or  deny  access,  a  request  for 
administrative  review  of  a  denial  shall 
be  made  only  to  the  Assistant  Director 
for  Agency  Compliance  and  Evaluation. 
Office  of  Personnel  Management.  1900  E 
Street,  NW..  Washington.  D.C.  20415: 
and 

(2)  For  denials  made  by  an  OPM 
official  a  request  for  administrative 
review  of  the  denial  shall  be  made  only 
to  the  General  Counsel.  Office  of 
Personnel  Management,  1900  E  Street 
NW..  Washington.  D.C.  20415. 

(b)  The  OPM  official  shall 
acknowledge  receipt  of  a  request  for 
administrative  review  of  a  denial  of 
access  within  ten  working  days.  A 
decision  on  the  request  should 
accompany  this  acknowledgement 
whenever  possible.  If  it  is  not  possible 
to  reach  a  decision  within  ten  working 
days,  the  requester  shall  be  informed  of 
the  approximate  date  (within  thirty 
working  days]  when  such  a  decision 
may  be  expected. 

(c)  To  assure  a  fair  and  equitable 
decision,  the  OPM  official  will  review 
the  criteria,  prescribed  in  S  297.205  of 
this  part,  which  were  cited  as  the  basis 
for  denying  access,  and  may  seek 
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additional  information  as  deemed  as 
necessary. 

(d)  When  a  decision  is  reached,  the 
requester  will  be  informed  of  the 
decision;  the  basis  for  the  decision;  the 
name,  position  title  and  business  mailing 
address  of  the  official  responsible  for 
the  decision;  what  further  action,  if  any, 
may  be  necessary  on  the  part  of  the 
agency;  and  the  requester's  right  to  seek 
judicial  review  of  the  decision. 

§  297.207  Judicial  review. 

Upon  receipt  of  notification  that  the 
denial  of  access  has  been  upheld  on 
administrative  review,  the  requester  has 
the  right  to  judicial  review  of  the 
decision  for  up  to  two  years  from  the 
date  on  which  the  cause  for  action 
arises  or  is  discovered.  Judicial  review 
may  be  sought  in  the  district  court  of  the 
United  States  in  the  district  in  which  the 
requester  either  resides,  has  his  or  her 
principal  place  of  business,  where  the 
agency  records  are  situated,  or  in  the 
District  of  Columbia. 

§  297.208  Request  for  amendment  of 
record. 

(a)  Data  subjects  may  request  the 
amendment  of  their  records  in  writing  or 
in  person  by  coihacting  the  system 
manager  or  designee  indicated  in  the 
notice  of  systems  of  records  published 
by  the  Office  in  the  Federal  Register. 
Requests  by  mail  will  be  expedited  if  the 
words  “PRIVACY  ACT  AMENDMENT 
REQUEST’  appear  in  capital  letters  on 
the  face  of  the  envelope  and  enclosed 
letter.  Misaddressed  or  misdirected 
requests  will  be  forwarded  promptly  to 
the  proper  office.  Time  limits  prescribed 
in  §  297.306  of  subpart  C  of  this  part  will 
be  measured  from  receipt  at  the  proper 
office.  In  each  instance  when  a 
forwarded  request  is  received,  the 
receiving  office  shall  notify  the  data 
subject  that  the  request  was  improperly 
addressed  or  marked,  and  the  date 
when  the  request  was  received  in  the 
proper  office. 

(b)  A  request  for  amendment  should 
include  the  following; 

(1)  The  precise  identification  of  the 
records  sought  to  be  amended  (for 
example,  description,  title,  date, 
paragraph,  sentence,  line,  and  words); 

(2)  The  specific  material  to  be  deleted, 
if  any; 

(3)  The  specific  material  to  be  added, 
if  any,  and  the  exact  place  at  which  it  is 
to  be  added;  and 

(4)  A  statement  of  the  reasons  for  the 
request,  with  all  available  documents 
and  material  that  substantiate  the 
request. 

(c)  If  necessary,  the  official  authorized 
to  rule  on  a  request  for  amendment  may 


seek  additional  information  pertinent  to 
the  request  to  assure  that  a /fair, 
equitable,  and  accurate  decision  is 
reached. 

§  297.209  Response  to  request  for 
amendment  of  records. 

(a)  The  system  manager  or  designee 
must  respond  in  writing  to  the  request 
for  amendment  of  a  record  within  ten 
working  days  of  receipt.  This  response 
shall  inform  the  requester  of  the' 
decision,  whenever  possible. 

(b)  If  the  decision  cannot  be  reached 
within  ten  working  days,  the  requester 
shall  be  informed  of  the  reason  for  delay 
and  the  date  (within  thirty  working 
days)  it  is  expected  that  the  decision 
will  be  made. 

§  297.210  Request  for  administrative 
review  of  denial  of  an  amendment. 

(a) (1)  A  request  for  administrative 
review  of  agencies'  denials  to  amend  a 
record  in  an  OPM  system  of  records 
shall  be  addressed  to  the  Assistant 
Director  for  Agency  Compliance  and 
Evaluation,  Office  of  Personnel 
Management,  1900  E  Street,  N.W.. 
Washington,  D.C.  20415. 

(2)  A  request  for  administrative 
review  of  a  denial  to  amend  a  record  by 
an  OPM  official  shall  be  addressed  to 
the  General  Counsel,  Office  of  Personnel 
Management,  1900  E  Street,  N.W.. 
Washington.  D.C.  20415. 

(b)  All  requests  for  review  of  denials 
must  be  made  in  writing  and  signed  by 
the  data  subject.  Processing  will  be 
expedited  if  the  words  “PRIVACY  ACT 
AMENDMENT  APPEAL”  appear  in 
capital  letters  on  both  the  envelope  and 
at  the  top  of  the  appeal  papers. 
Misaddressed  or  misdirected  requests 
will  be  forwarded  immediately  to  the 
proper  office.  The  time  limit  for  response 
shown  in  section  297.308  will  be 
measured  ffiim  the  time  of  receipt  in  the 
proper  office. 

(c)  When  a  request  for  administrative 
review  of  an  amendment  denial  is 
submitted,  the  individual  must  provide  a 
copy  of  the  original  request  for 
amendment,  a  copy  of  the  initial  denial, 
and  a  statement  of  the  specffic  reasons 
why  the  initial  denial  is  believed  to  be 
in  error. 

(d)  When  a  decision  is  reached,  the 
requester  will  be  informed  of  the 
decision;  the  bais  for  the  decision;  the 
name,  position  title  and  business  mailing 
address  of  the  official  responsible  for 
the  decision;  what  further  action,  if  any, 
may  be  necessary  on  the  part  of  the 
agency;  and  the  requester's  right  to  seek 
judicial  review  of  the  decision. 


§  297.21 1  Judicial  review. 

Upon  receipt  of  notification  that  the 
denial  to  amend  a  record  has  been 
upheld  on  administrative  review,  the 
requester  has  the  right  to  judicial  review ' 
of  the  decision  for  up  to  two  years  from 
the  date  on  which  the  cause  for  action 
arises  or  is  discovered.  Judicial  review 
may  be  sought  in  the  district  court  of  the 
United  States  in  the  District  in  which 
either  the  requester  resides,  has  his  or 
her  principal  place  of  business,  where 
the  agency  records  are  situated,  or  in  the 
District  of  Columbia. 

§297.212  Fees. 

(a)  Generally,  the  policy  of  the  Office 
is  to  provide  the  first  copy  of  any  record 
or  portion  thereof,  furnished  as  a  result 
of  a  Privacy  Act  request  for  access,  at 
no  cost  to  the  data  subject  or  authorized 
representative.  However,  in  cases  where 
the  Office  or  agency  deems  it 
appropriate  (e.g.,  where  the  record  is 
voluminous)  the  system  manager  or 
designee  at  his  or  her  discretion  may 
charge  a  fee  when  the  cost  would  be  in 
excess  of  ten  dollars  ($10.00). 

(b)  The  schedule  of  fees  for 
duplication  appears  in  Part  294  of  this 
Chapter. 

(c)  Except  as  noted  in  paragraph  (a)  of 
this  section,  no  fees  shall  be  charged  or 
collected  from  a  data  subject  for  the 
following;  search  for  or  retrieval  of  the 
data  subject's  records;  review  of  the 
records;  making  a  copy  of  a  record  when 
it  is  a  necessary  part  of  the  process  of 
making  the  record  available  for  review; 
copying  at  the  initiative  of  the  Office  or 
an  agency  without  a  request  from  the 
individual;  transportation  of  the  record; 
and  making  a  copy  of  an  amended 
record  to  provide  the  individual  with 
evidence  of  the  amendment. 

(d)  When  a  fee  is  requested,  the  check 
or  money  order  shall  be  made  payable 
to  the  Office  of  Personnel  Management 
and  sent  to  the  appropriate  system 
manager  or  designee. 

§  297.213  Dislosures  generalty  prohibited. 

Generally,  the  Office  or  any  agency 
may  not  disclose  any  record  in  an  OPM 
system  of  records  to  any  person  or 
another  agency,  other  than  the  data 
subject,  u^ess  the  disclosure  is; 

(a)  Pursuant  to  the  specific  written 
statement  of  the  data  subject 
authorizing  a  representative  to  gain 
access  to  the  data  subject's  record,  as 
prescribed  in  §  297.201  of  this  subpart; 

(b)  To  anyone  or  any  other  agency 
that  requests  the  data,  provided  the 
prior  specific  written  consent  of  the  data 
subject  is  obtained; 

(c)  To  a  parent  of  a  minor  data  subject 
or  the  legal  guardian  of  a  data  subject  in 
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accordance  with  5  U.S.C.  552a(h)  and 
S  297.201  of  this  subpart; 

.(d)  Among  the  disclosures  without 
prior  consent  of  the  data  subject 
permitted  by  5  U.S.C.  552a(b)  (1)  through 
(11),  and  as  listed  in  §  297.503  of  subpart 
E  of  this  part:  or 

(e)  Required  by  the  Privacy  Act  and 
not  covered  explicitly  by  the  disclosure 
provisions  of  5  U.S.C.  552a(b).  The 
situations  referred  to  in  this  paragraph 
include  the  following: 

(1)  Pursuant  to  5  U.S.C.  552a(cK4). 
which  in  certain  circumstances  requires 
dissemination  by  the  OPM  or  the 
agencies  of  an  amended  record  or 
notation  of  disagreement  statement;  or 

(2)  Pursuant  to  5  U.S.C.  552a(g).  which 
authorizes  an  individual  to  institute  a 
civil  action  and  requires  disclosure  by 
the  OPM  or  an  agency  to  the  court. 

§  297.214  Request  for  accounting  of 
disclosures. 

(a)  Except  for  disclosures  to  agency 
ofRcials  who  have  a  need  for  access  to 
the  record,  to  Office  employees 
requiring  access  to  the  records,  or 
required  by  the  Freedom  of  Information 
Act,  all  disclosures  from  an  OPM 
Government-wide  system  of  records 
shall  be  accounted  for  by  the  keeping  of 
a  written  record  of  the  disclosure  as 
outlined  in  §  297.506  of  this  part.  An 
individual  may  request  access  to  the 
accounting  of  disclosures  of  the 
individual’s  record  by  submitting  a 
Privacy  Act  request  for  any  such 
accounting  to  the  appropriate  system 
manager  or  designee  for  the  appropriate 
system  of  records. 

(b)  The  system  manage  or  designee 
shall  respond  to  such  a  request  within 
ten  working  days  and  shall  inform  the 
requester,  for  each  disclosure  made:  the 
description  of  the  record  disclosed;  the 
date,  method,  and  purpose  of  each 
disclosure;  the  name  and  address  of  the 
person  to  whom  the  disclosure  was 
made:  and  the  name  and  position  title  of 
the  person  making  the  disclosure. 

(c)  The  only  basis  for  denying  access 
to  any  accounting  of  disclosure  is  where 
the  disclosure  was  made  under  5  U.S.C. 
552a(b)(7).  When  the  system  manager  or 
designee  denies  a  request  for  any 
accounting  of  disclosure,  the  requester 
shall  be  ii^ormed  of; 

(1)  Why  the  accounting  of  disclosure, 
although  required  to  be  maintained, 
does  not  have  to  be  furnished; 

(2)  The  name  and  position  title  of  the 
system  manager  or  designee  making  the 
denial:  and 

(3)  The  right  of  the  requester  to  seek 
adiministrative  review  of  that  decision 
by  contacting: 


(i)  The  Assistant  Director  for  Agency 
Compliance  and  Evaluation.  Office  of 
Personnel  Management.  1900  E  Street 
NW,  Washington.  D.C..  20415,  if  an 
agency  official  denied  access  to  the 
accounting  of  disclosure;  or 

(ii)  The  General  Counsel,  Office  of 
Personnel  Management.  1900  E  Street, 
NW.,  Washington,  D.C.  20415,  if  an  OPM 
official  denied  access  to  the  accounting 
of  disclosure. 

Subpart  C— Agency  Responsibilities 
for  Processing  Privacy  Act  Requests 

§  297.301  Responsibilities. 

(a)  All  agencies  are  responsible  for 
protection  of  individual  privacy  in  their 
personnel  management  processes.  Each 
agency  is  responsible  for: 

(1)  Its  internal  systems  of  personnel 
records  for  which  agencies  have  sole 
responsibility;  and 

(2)  Government-wide  systems  of 
personnel  records  which  the  Office 
manages  and  for  which  agencies  and 
OPM  share  responsibilities. 

(b)  The  Office  is  responsible  for 
describing  the  division  of  required 
Privacy  Act  functions  between  OPM  and 
the  agencies  for  the  Government-wide 
systems  of  personnel  records  OPM 
manages.  Iliis  division  of  functions  is 
described  in  this  part,  and  in  Chapters 
293  and  297  of  the  Federal  Personnel 
Manual. 

(c)  The  Office  or  agency  must  respond 
to  all  reasonable  inquiries  concerning 
the  Privacy  Act  or  the  regulations 
contained  within  part  297. 

§  297.302  Verification  of  identity  of 
requester. 

The  Office  or  agency  shall  verify  the 
identity  of  an  idividuai  either  requesting 
access  or  amendment  to  the  individual’s 
own  records  or  submitting  a  specific 
inquiry  as  defined  and  in  accordance 
with  requirements  prescribed  in 
§  297.201  of  this  part.  Alternatively,  the 
system  manager  or  designee  may  accept 
other  proof  of  identity  commensurate 
with  any  unusual  circumstances 
surrounding  the  request 

§  297.303  Response  to  access  requests. 

(a)  Time  limits.  ’The  Office  or  agency 
must  respond  within  ten  working  days 
after  receipt  by  the  system  manager  or 
designee  to  each  specific  inquiry  or 
request  for  access.  If  the  requested  data 
or  an  answer  to  a  specific  inquiry 
cannot  be  furnished  within  the  ten  day 
period,  the  response  will  be  sent  within 
that  time  giving  the  status  of  the  matter, 
the  expected  date  the  material  or 
answer  will  be  furnished,  or  requesting 
any  additional  information  needed  to 
process  the  specific  inquiry  or  request  . 


for  access.  Action  will  be  completed  as 
soon  as  possible  thereafter,  but  not  later 
than  thirty  working  days  after  receipt  of 
the  original  specific  inquiry,  request  for 
access,  or  receipt  of  the  additional 
information  that  was  requested. 

In  unusual  circumstances  and  for  good 
cause,  an  OPM  or  agency  official  may 
decide  that  action  cannot  be  completed 
within  30  days.  In  such  a  case,  the  OPM 
or  the  agency  official  will  advise  the 
individual  of  the  reason  for  the  delay 
and  the  date  by  which  action  can  be 
expected  to  be  completed.  Unusual 
circumstances  would  exist,  for  example, 
when  the  record  must  be  retrieved  from 
archival  storage  or  requested  from 
another  agency,  when  a  voluminous 
amount  of  material  must  be  reviewed,  or 
where  information  on  other  individuals 
must  be  separated  or  deleted  from  a 
particular  record. 

(b)  Granting  of  access.  The  system 
manager  or  designee  shall  make  the 
entire  contents  of  the  requested  record 
available  to  a  properly  identified  data 
subject  or  the  data  subject’s  authorized 
representative,  except  for  data  that: 

(1)  Is  subject  to  a  properly 
promulgated  exemption  and  for  which 
the  exemption  has  been  applied 

(§  297.304) 

(2)  Requires  special  procedures  for 
access  (§  297.204);  or 

(3)  Is  withheld  in  reasonable 
anticipation  of  a  civil  proceeding 
(§  297.205(b)(2)). 

Generally,  the  Office’s  policy  is  that 
there  shall  be  no  charge  for  the  first 
copy  of  the  information  being  requested. 
’Thereafter,  copies  of  the  same  records 
will  be  furnished  on  request  in 
accordance  with  the  fee  schedule  listed 
in  Part  294  of  this  Chapter.  'The  system 
manager  or  designee,  at  his  or  her 
discretion,  can  elect  to  furnish  a  copy  of 
the  material  to  the  requester  in  person 
or  by  mail. 

(c)  Denial  of  access.  Where  it  is 
necessary  for  the  system  manager  or 
designee  to  deny  access  to  all  or  any 
part  of  the  requested  record,  the 
decision  must  be  based  on  one  of  the 
reasons  for  denial  set  forth  in  §  297.205 
of  subpart  B  of  this  part  In  addition  to 
providing  the  requested  information 
about  the  denial  which  is  prescribed  by 
paragraph  297.205(a)  of  this  part,  the 
Office  or  agency  official  claiming  an 
exemption  from  the  access  provisions  of 
the  Privacy  Act  will: 

(1)  Inform  the  requester  when  any 
portion  of  the  recoil  is  exempt  and, 
where  appropriate,  clearly  describe  any 
material  in  the  record  that  is  exempt  in  • 
its  entirety,  in  such  a  manner  that  will 
enable  the  requester  to  know  of  the 
existence  of  such  material  and  to  be 
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able  to  sufficiently  describe  it  in  any 
request  for  review  of  the  decision 
exempting  it;  and 

(2)  Inform  the  requester  of  the  basis 
for  any  denial  and  his  or  her  right  to 
appeal  the  decision  to  exempt  any  part 
or  all  of  the  requested  record,  to  Ae 
Assistant  Director  for  Agency 
Compliance  and  Evaluation,  in  the  case 
of  an  agency  denial,  and  in  the  case  of 
an  OPM  denial,  to  the  General  Counsel, 
OfHce  of  Personnel  Management,  1900  E. 
Street,  N.W.,  Washington,  D.C.  20415. 

§  297.304  Exempt  records. 

(a)  Several  OPM  Internal,  Central,  and 
Government-wide  systems  of  records 
contain  information  for  which 
exemptions  appearing  at  5  U.S.C. 
552a(k)(l),  (2),  (3),  (5),  and  (6)  may  be 
claimed,  the  systems  of  records  for 
which  the  exemptions  are  claimed,  the 
specific  exemptions  determined  to  be 
necessary  and  proper  with  respect  to 
these  systems  of  records,  the  records 
exempted,  the  provisions  of  the  Act  from 
which  they  are  exempted,  and  the 
justifications  for  the  exemptions  are  set 
forth  below. 

(b)  Specific  exemptions. 

(1)  Applicants  for  Employment 
Records  (OPM/INTERNAL-0). 

All  material  and  information  in  these 
records  that  meets  the  criteria  stated  in 
5  U.S.C.  552a(k)(6)  is  exempt  from  the 
requirements  of  5  U.S.C.  552a(d).  relating 
to  access  and  amendment  of  the  records 
by  the  data  subject.  This  exemption  is 
claimed  because  portions  of  this  system 
relate  to  testing  or  examination 
materials  used  solely  to  determine 
individual  qualifications  for 
appointment  or  promotion  in  the  Federal 
service.  Access  to  or  amendment  of  this 
information  by  the  data  subject  would 
compromise  the  objectivity  and  fairness 
of  the  testing  or  examination  process. 

(2)  Pre-employment  Inquiry  Records 
(OPM/INTERNAI^IO).  All  information 
about  individuals  in  these  records  that 
meets  the  criteria  stated  in  5  U.S.C. 
552a(k)(5)  is  exempt  from  the 
requirements  of  5  U.S.C.  552a  (c)(3)  and 
(d).  These  provisions  of  the  Privacy  Act 
relate  to  making  accountings  of 
disclosures  available  to  the  data  subject 
and  access  to  and  amendment  of 
records. 

These  exemptions  are  claimed 
because  this  system  contains 
investigatory  material  compiled  solely 
for  determining  qualifications  for 
Federal  civilian  employment.  To  the 
extent  that  the  disclosure  of  such 
material  would  reveal  the  identity  of  a 
source  who  furnished  information  to  the 
Government  under  an  express  promise 
that  the  identity  of  the  source  would  be 


held  in  confidence,  or,  prior  to 
September  27, 1975,  under  an  implied 
promise  that  the  identity  of  the  source 
would  be  held  in  confidence,  the 
application  of  exemption  (k)(5)  will  be 
required  to  honor  such  a  promise  should 
the  data  subject  request  the  accounting 
of  disclosures  of  the  record  or  access  to 
or  amendment  of  the  record. 

(3)  Personnel  Research  Test 
Validation  Records  (OPM/CENTRAL- 
3).  All  material  and  information  in  these 
records  that  meets  the  criteria  stated  in 
5  U.S.C.  552a(k)(6)  is  exempt  from  the 
requirements  of  5  U.S.C.  552a(d),  relating 
to  access  to  and  amendment  of  the 
records  by  the  data  subject.  This 
exemption  is  claimed  because  portions 
of  this  system  relate  to  testing  or 
examination  materials  used  solely  to 
determine  individual  qualifications  for 
appointment  or  promotion  in  the  Federal 
service.  Access  to  or  amendment  of  this 
information  by  the  data  subject  would 
compromise  the  objectivity  and  fairness 
of  the  testing  or  examination  process. 

(4)  Administrative  Law  Judge 
Applicant  Records  (OPM/CENTRAL-8). 

(i)  All  information  about  individuals 
in  these  records  that  meets  the  criteria 
stated  in  5  U.S.C.  552a(k)(5)  is  exempt 
from  the  requirements  of  5  U.S.C.  552a 

(c)(3)  and  (d).  These  provisions  of  the 
Privacy  Act  relate  to  making 
accountings  of  disclosures  available  to 
the  data  subject  and  access  to  and 
amendment  of  records.  These 
exemptions  are  claimed  because  this 
system  contains  investigatory  material 
compiled  solely  for  the  purposes  of 
determining  suitability,  eligibility,  and 
qualifications  for  Federal  civilian 
employment.  To  the  extent  that  the 
disclosure  of  such  material  would  reveal 
the  identity  of  a  soiuce  who  furnished 
information  to  the  Government  under  an 
express  promise  that  the  identity  of  the 
source  would  be  held  in  confidence,  or, 
prior  to  September  27, 1975,  under 
implied  promise  that  the  identity  of  the 
source  would  be  held  in  confidence,  the 
application  of  exemption  (k)(5)  will  be 
required  to  honor  such  a  promise  should 
the  data  subject  request  access  to  the 
accounting  of  disclosures  of  the  record, 
or  access  to  or  amendment  of  the  record. 

(ii)  All  material  and  information  in 
these  records  that  meets  the  criteria 
stated  in  5  U.S.C.  552a(k)(6)  is  exempt 
from  the  requirements  of  5  U.S.C. 

552a(d),  relating  to  access  to  and 
amendment  of  the  records  by  the  data 
subject.  This  exemption  is  claimed 
because  portions  of  this  system  relate  to 
testing  or  examination  materials  used 
solely  to  determine  individual 
qualifications  for  appointment  or 
promotion  in  the  Federal  service.  Access 


to  or  amendment  of  this  information  by 
the  data  subject  would  compromise  the 
objectivity  and  fairness  of  the  testing  or 
examination  process. ' 

(5)  Litigation  and  Claims  Records 
(OPM/CENTRAL-9). 

(i)  When  litigation  or  claims  cases 
occur,  information  from  other  existing 
systems  of  records  may  be  incorporated 
into  the  case  file.  This  information  may 
be  material  for  which  exemptions  have 
been  claimed  by  the  Office  in  this 
section.  To  the  extent  that  such  exempt 
material  is  incorporated  into  a  litigation 
or  claim  case  file  the  apporpriate 
exemption  (5  U.S.C.  552a(k)  (1),  (2),  (3). 
(5),  or  (6))  shall  also  apply  to  the 
material  as  it  appears  in  this  system. 

The  exemptions  shall  be  only  from  those 
provisions  of  the  Act  which  were 
claimed  for  the  systems  from  which  the 
recorc*  3  originated. 

(ii)  During  the  course  of  litigation  or 
claims  cases,  it  may  be  necessary  to 
conduct  investigations  to  develop 
information  and  evidence  relevant  to  the 
case.  These  investigative  records  may 
include  material  meeting  the  criteria 
stated  in  5  U.S.C.  552a(k)  (1),  (2),  (3),  (5). 
and  (6).  Such  material  is  exempt  from 
the  requirement  of  5  U.S.C.  552a  (c)(3) 
and  (d).  These  provisions  of  the  Act 
relate  to  making  accounting  of 
disclosures  available  to  the  data  subject 
and  access  to  an  amendment  of  records. 
The  specific  applicability  of  the 
exemptions  to  this  system  and  the 
reasons  for  the  exemptions  are  as 
follows: 

(A)  Such  investigations  may  obtain 
from  another  Federal  agency  properly 
classified  information  which  pertains  to 
national  defense  and  foreign  policy. 
Application  of  exemption  (k)(l)  may  be 
necessary  to  preclude  the  data  subject’s 
access  to  and  amendment  of  such 
classified  information  under  5  U.S.C. 
552a(d); 

(B)  Such  investigations  may  obtain 
from  another  Federal  agency 
investigatory  material  compiled  for  law 
enforcement  purposes  other  than 
material  within  the  scope  5  U.S.C. 
552a(j)(2).  e.g.,  administration  of  the 
merit  system.  All  information  about 
individuals  in  these  records  that  meets 
the  criteria  of  5  U.S.C.  552a(k)(2)  is 
exempt  from  the  requirements  of  5 
U.S.C.  552a  (c)(3)  and  (d).  Application  of 
exemption  (k)(2)  may  be  necessary  to 
preclude  the  data  subject’s  access  to  or 
amendment  of  those  records; 

(C)  Such  investigations  may  obtain 
fivm  another  Federal  agency 
information  that  relates  to  providing 
protective  services  to  the  Ftesident  of 
the  United  States  or  other  individuals 
pursuant  to  section  3056  of  title  18.  All 
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information  about  individuals  in  these 
records  that  meets  the  criteria  of  5 
U.S.C.  552a(k](3)  is  exempt  from  the 
requirements  of  5  U.S.C.  552a  (d). 
(e)(4)(H).  and  (f).  Application  of 
exemption  (k)(3)  may  be  necessary  to 
preclude  the  data  subject's  access  to 
and  amendment  of  such  records: 

(D)  All  information  about  individuals 
in  these  records  that  meets  the  criteria 
stated  in  5  U.S.C.  552a(k)(5)  is  exempt 
from  the  requirements  of  5  U.S.C.  552a 
(c)(3)  and  (d).  These  provisions  of  the 
Privacy  Act  relate  to  making 
accountings  of  disclosures  available  to 
the  data  subject  and  access  to  and 
amendment  of  records.  These 
exemptions  are  claimed  because  this 
system  contains  investigatory  material 
compiled  solely  for  the  purposes  of 
determining  suitability,  eligibility,  and 
qualifications  for  Federal  civilian 
employment.  To  the  extent  that  the 
disclosure  of  such  material  would  reveal 
the  identity  of  a  source  who  furnished 
information  to  the  Government  under  an 
express  promise  that  the  identity  of  the 
source  would  be  held  in  confidence,  or, 
prior  to  September  27, 1975,  under  an 
implied  promise  that  the  identity  of  the 
source  would  be  held  in  confidence,  the 
application  of  exemption  (k)(5)  will  be 
required  to  honor  such  a  promise  should 
the  data  subject  request  access  to  the 
accounting  of  disclosure,  or  access  to  or 
amendment  of  the  record,  that  would 
reveal  the  identity  of  a  confidential 
source;  or 

(E)  All  material  and  information  in 
these  records  that  meets  the  criteria 
stated  in  5  U.S.C.  552a(k)(6)  is  exempt 
from  the  requirements  of  5  U.S.C. 

552a(d),  relating  to  access  and 
amendment  of  the  records  by  the  data 
subject.  This  exemption  is  claimed 
because  portions  of  this  system  relate  to 
testing  or  examination  materials  used 
solely  to  determine  individual 
qualifications  for  appointment  or 
promotion  in  the  Federal  service.  Access 
to  or  amendment  by  the  data  subject  of 
this  information  would  compromise  the 
objectivity  and  fairness  of  the  testing  or 
examination  process. 

(6)  Privacy  Act/Freedom  of 
Information  Act  Case  Records  (0PM/ 
CENTRAL-IO).  In  paragraphs  (1) 
through  (5)  and  (7)  through  (9)  of  this 
section,  the  Office  has  claimed 
exemptions  for  other  of  its  systems  of 
records  where  it  felt  such  exemptions 
are  appropriate  and  necessary.  These 
exemptions  are  claimed  under  5  U.S.C. 
552a(k)  (1),  (2).  (3),  (5).  and  (6).  During 
the  course  of  a  Privacy  Act/Freedom  of 
Information  Act  case  (which  may 
include  access  requests,  amendment 
requests,  and  request  for  review  for  ; 


initial  denials  of  such  requests)  exempt 
materials  from  those  other  systems  may 
in  turn  become  part  of  the  case  record  in 
this  system.  To  the  extent  that  copies  of 
exempt  records  from  those  other 
systems  are  entered  into  this  system,  the 
Office  hereby  claims  the  same 
exemptions  for  the  records  as  they  have 
in  the  original  primary  system  of  which 
they  are  a  part. 

(7)  Personnel  Investigations  Records 
(OPM/CENTRAL-11).  All  material  and 
information  in  these  records  that  meets 
the  criteria  stated  in  5  U.S.C.  552a(k)(l), 
(2).  (3)  (5).  and  (6)  is  exempt  from  the 
requirements  of  5  U.S.C.  552a(c)(3)  and 
(d).  These  provisions  of  the  Privacy  Act 
related  to  making  accountings  of 
disclosures  available  to  the  data  subject 
and  access  to  and  amendment  of 
records. 

The  specific  applicability  of  the 
exemptions  to  this  system  ^nd  the 
reasons  for  the  exemptions  are  as 
follows; 

(i)  Personnel  investigations  may 
obtain  from  another  Federal  agency 
properly  classified  information  which 
pertains  to  national  defense  and  foreign 
policy.  Application  of  exemption  (k)(l) 
may  be  necessary  to  preclude  the  data 
subject’s  access  to  and  amendment  of 
such  classified  information  under  5 
U.S.C.  552a(d). 

(ii)  Personnel  investigations  may 
contain  investigatory  material  compiled 
for  law  enforcement  purposes  other  than 
material  within  the  scope  of  5  U.S.C. 
552a(j)(2).  e.g.,  investigations  into  the 
administration  of  the  merit  system. 
Application  of  exemption  (k)(2)  may  be 
necessary  to  preclude  the  data  subject's 
access  to  or  amendment  of  such  records, 
under  552a(c)(3)  and  (d). 

(iii)  Personnel  investigations  may 
obtain  from  another  Federal  agency 
information  that  relates  to  providing 
protective  services  to  the  President  of 
the  United  States  or  other  individuals 
pursuant  to  section  3056  of  title  18. 
Application  of  exemption  (k)(3)  may  be 
necessary  to  preclude  the  data  subject's 
access  to  and  amendment  of  such 
records  under  5  U.S.C.  552a(d). 

(iv)  All  information  about  individuals 
in  these  records  that  meets  the  criteria 
stated  in  5  U.S.C.  552a(k)(5)  is  exempt 
from  the  requirements  of  5  U.S.C. 
552a(c)(3)  and  (d).  These  provisions  of 
the  Privacy  Act  relate  to  making 
accountings  of  disclosures  available  to 
the  data  subject,  and  access  to  and 
amendment  of  records. 

These  exemptions  are  claimed 
because  this  system  contains 
investigatory  material  compiled  solely 
for  the  purpose  of  determining 
suitability,  eligibility,  and  qualifications 


for  Federal  civilian  employment.  To  the 
extent  that  the  disclosure  of  material 
would  reveal  the  identity  of  source  who 
furnished  information  to  the 
Government  under  an  express  promise 
that  the  identity  of  the  source  would  be 
held  in  confidence,  or,  prior  to 
September  27, 1975,  under  an  implied 
promise  that  the  identity  of  the  source 
would  be  held  in  confidence,  the 
application  of  exemption  (k)(5)  will  be 
required  to  honor  such  a  promise  should 
the  data  subject  request  access  to  or 
amendment  of  the  record,  or  access  to 
the  accounting  of  disclosures  of  the 
record. 

(v)  All  material  and  information  in 
these  records  that  meets  the  criteria 
stated  in  5  U.S.C.  552a(k)(6)  is  exempt 
from  the  requirements  of  5  U.S.C. 

552a(d),  relating  to  access  to  and 
amendment  of  the  records  by  the  data 
subject.  This  exemption  is  claimed 
because  portions  of  this  system  relate  to 
testing  or  examination  materials  used 
solely  to  determine  individual 
qualifications  for  appointment  or 
promotion  in  the  Federal  service.  Access 
to  or  amendment  of  this  information  by 
the  data  subject  would  compromise  the 
objectivity  and  fairness  of  the  testing  or 
examination  process. 

(8)  Presidential  Management  Intern 
Program  Records  (OPM/CENTRAL-13). 
All  material  and  information  in  these 
records  that  meets  the  criteria  stated  in 
5  U.S.C.  552a(k)(6)  are  exempt  from  the 
requirements  of  5  U.S.C.  552a(d),  relating 
to  access  to  and  amendment  of  records 
by  the  data  subject.  This  exemption  is 
claimed  because  portions  of  this  system 
relate  to  testing  or  examination 
materials  used  solely  to  determine 
individual  qualifications  for 
appointment  or  promotion  in  the  Federal 
service  and  access  to  or  amendment  of 
this  information  by  the  data  subject 
would  compromise  the  objectivity  and 
fairness  of  the  testing  or  examination 
process. 

(9)  Recruiting,  Examining,  and 
Placement  Records  (OPM/GOVT-5). 

(i)  All  information  about  individuals 
in  these  records  that  meets  the  criteria 
stated  in  5  U.S.C.  552a(k)(5)  is  exempt 
from  the  requirements  of  5  U.S.C. 
552a(c)(3)  and  (d).  These  provisions  of 
the  Privacy  Act  relate  to  making 
accountings  of  disclosures  available  to 
the  data  subject  and  access  to  and 
amendment  of  records.  These 
exemptions  are  claimed  because  this 
system  contains  investigative  material 
compiled  solely  for  the  purpose  of 
determining  the  appropriateness  of  a 
request  for  approval  of  an  objection  to 
an  eligible’s  qualification  for 
employment  in  the  Federal  service.  To 
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the  extent  that  the  disclosure  of  such 
material  would  reveal  the  identity  of  a 
source  who  furnished  information  to  the 
Government  under  an  express  promise 
that  the  identity  of  the  source  would  be 
held  In  confidence,  the  application  of 
exemption  (k)(5)  will  be  required  to 
honor  such  a  promise  should  the  data 
subject  request  access  to  the  accounting 
of  disclosures  of  the  record  or  access  to 
or  amendment  of  the  record. 

(ii)  All  material  and  information  in 
these  records  that  meets  the  criteria 
stated  in  5  U.S.C.  552a(k)(6)  are  exempt 
from  the  requirements  of  5  U.S.C. 

552a(d],  relating  to  access  to  and 
amendment  of  records  by  the  subject. 
This  exemption  is  claimed  because 
portions  of  this  system  relate  to  testing 
or  examination  materials  used  solely  to 
determine  individual  qualification  for 
appointment  or  promotion  in  the  Federal 
service  and  access  to  or  amendment  of 
this  information  by  the  data  subject 
would  compromise  the  objectivity  and 
fairness  of  the  testing  or  examination 
process. 

§  297.305  Response  to  request  for 
administrative  review  of  denial  of  access. 

(a)  The  Office  will  make  every  effort 
to  reach  a  decision  within  ten  working 
days  on  each  request  for  administrative 
review  of  a  denial  of  access.  If  a 
decision  cannot  be  made  within  the  ten 
day  period,  an  acknowledgement  will  be 
sent  within  that  time  stating  the  status 
of  the  request,  an  expected  date  for  the 
decision  (within  thirty  days),  or,  if 
necessary,  a  request  for  any  additional 
information  required  to  complete 
processing  of  the  request.  A  decision 
shall  be  reached  within  thirty  working 
days  after  receipt  of  the  original  request 
or  receipt  of  the  additional  information. 
In  unusual  circumstances  and  for  good 
cause,  the  Office  may  decide  that  a 
decision  cannot  be  reached  within  thirty 
days.  In  such  a  case,  the  Office  will 
advise  the  requester  of  the  reason  for 
the  delay  and  furnish  a  date  by  which 
the  decision  can  be  expected.  Unusual 
circumstances  would  exist,  for  example 
when  the  record  must  be  retrieved  from 
archival  storage  or  from  various 
locations  or  when  there  is  a  voluminous 
amount  of  material  to  be  reviewed. 

(b)  The  requester  shall  be  notified  in 
writing  of  the  Office’s  decision.  If  the 
decision  upholds  the  denial  for  access, 
the  reason  for  the  decision  must  be 
given,  along  with  the  name  and  position 
title  of  the  official  responsible  for  the 
decision,  and  the  procedures  whereby 
the  requester  may  seek  judicial  review 
of  the  decision.  If  the  decision  is  to  grant 
access  to  the  material  previously  denied, 
the  Office  shall  inform  the  requester  of 


the  action  it  has  taken  to  provide  the 
record  previously  withheld.  The  Office 
shall  direct  the  system  manager  or 
designee  to  make  available  to  the 
requester  all  or  part  of  the  data  that  was 
withheld.  Where  only  part  of  the  data 
originally  withheld  is  to  be  granted  on 
administrative  review,  then  the  Office 
shall  inform  the  requester  of  the  reasons 
for  sustaining  part  of  the  denial,  the 
name  and  position  title  of  the  official 
responsible  for  the  decision,  and  the 
procedures  whereby  the  requester  may 
seek  judicial  review  of  the  decision. 

(c)  The  system  manager  or  designee 
who  issued  the  initial  denial  decision  is 
responsible  for  providing  the  record 
which  was  the  subject  of  the  access 
request,  and  must  otherwise  cooperate 
with  the  reviewing  official. 

§  297.306  Request  for  correction/ 
amendment 

(a)  Upon  receipt  of  a  request  to 
correct  or  amend  a  record,  when  the 
Office  or  agency  finds  that  the  request  is 
not  in  accordance  with  the  requirements 
prescribed  in  §  297.206  of  subpart  B  of 
this  part,  the  Office  or  agency  shall  in 
writing,  communicate  this  determination 
to  the  requester  and  solicit  clarification. 
From  the  standpoint  of  meeting  time 
limits,  the  request  shall  not  be 
considered  received  until  such  clarifying 
information  is  received. 

(b)  The  Office  or  agency  must  respond 
in  writing  to  a  request  to  amend  a  record 
within  ten  (10)  working  days.  Where 
appropriate,  a  response  indicating  the 
decision  of  the  Office  or  agency, 
regarding  the  request  to  amend  should 
be  furnished  at  that  time.  Where  a 
decision  cannot  be  furnished  within  ten 
working  days,  the  response  shall 
acknowledge  receipt  of  the  request  and 
shall  inform  the  requester  of  the  reasons 
for  the  delay,  and  the  approximate  date 
(within  thirty  working  days)  on  which  a 
decision  will  be  issued. 

(c)  When  the  request  for  amendment 
is  granted,  the  system  manager  or 
designee  shall  make  the  requested 
amendment,  informing  the  individual  in 
writing  of  this  action,  and  provide  either 
a  copy  of  the  amended  record,  or  in 
cases  where  a  copy  cannot  be  provided 
(for  example,  erasure  of  information 
from  a  record  maintained  only  in 
computer  media),  a  statement  of  how 
the  amendment  was  effected.  Further, 
the  system  manager  must  notify  prior 
recipients  of  the  record  (recipients  to 
whom  information  was  disclosed  for 
which  an  accounting  of  disclosure  was 
made)  of  the  amenc^enL  Such 
notification  shall  inform  the  prior 

'  recipient  of  the  amendmentfs)  made  and 
that  they  are  to  apprise  any  other 


agency  or  person,  to  which  they  have 
disclosed  the  record,  of  the 
amendment(8)  to  the  record.  Also,  the 
system  manager  or  designee  should, 
where  practical,  and  where  records  are 
used  in  determinations  concerning 
individuals,  advise  all  other  known 
holders  of  the  record  of  the  amendment 
The  requester  shall  be  informed  that 
prior  recipients  of  the  record  have  been 
requested  to  amend  their  copies  of  the 
record. 

(d)  When  the  request  for  amendment 
is  denied,  the  system  manager  or 
designee  shall  inform  the  individual  in 
writing  that  the  request  is  denied  and 
provide  the  following  information; 

(1)  The  system  manager’s  or 
designee’s  name  and  position  title; 

(2)  The  reason  for  denial,  including 
citation  of  the  appropriate  sections  of 
the  Act  and  §  297.307(c)  of  this  subpart; 
and 

(3)  The  procedures  for  requesting  a 
review  of  the  denial,  including  the  name 
and  address  of  the  Assistant  Director  for 
Agency  Compliance  and  Evaluation,  or 
in  the  case  of  an  OPM  denial,  the 
General  Counsel,  Office  of  Personnel 
Management,  1900  E  Street,  N.W.. 
Washington,  D.C.  20415,  as  appropriate 
(see  §  297.210). 

(e)  In  those  circumstances  where  the 
request  is  partially  granted  and  partially 
denied,  inform  the  requester  how  the 
amendment  has  been  partially  effected 
(paragraph  (c)  above)  and  the  basis  for 
the  denial  of  part  of  the  request 
(paragraph  (d)  above). 

§  297.307  Basis  for  denials  of  request  for 
amendments. 

(а)  'The  following  criteria  will  be 
considered  by  the  system  manager  or 
designee  in  reviewing  initial  requests  for 
amendment  of  records: 

(1)  The  sufficiency  of  the  evidence 
submitted  by  the  data  subject; 

(2)  The  factual  accauracy  of  the 
information  submitted  and  the 
information  in  the  record; 

(3)  The  relevancy,  necessity, 
timeliness,  and  completeness  of  the 
information  in  light  of  the  purpose  for 
which  it  was  collected: 

(4)  The  degree  of  possibility  that 
denial  of  the  request  could  result  in 
unfair  determinations  adverse  to  the 
data  subject; 

(5)  The  character  of  record  sought  to 
be  amended; 

(б)  'The  propriety  and  feasibility  of 
complying  with  specific  means  of 
amendbnent  requested  by  the  data 
subject;  and 

(7)  The  possible  involvement  of  the 
record  in  a  judicial  or  quasi-judicial 
process. 
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(b)  An  individual  requesting  an 
amendment  of  a  record  has  the  burden 
of  supplying  information  in  support  of 
the  propriety  and  necessity  of  the 
amendment  request.  The  request  would 
then  be  appropriate  for  resolution  upon 
determination  of  the  preponderance  of 
the  evidence.  The  Office  or  agency 
official  is  not  required  to  gather 
supporting  evidence  for  the  individual 
and  reserves  the  right  to  verify  the 
evidence  which  the  individual  submits. 

(c)  Amendment  of  a  record  will  be 
denied  upon  a  determination  by  the 
system  manager  or  designee  that: 

(1)  The  record  is  subject  to  an 
exeption  from  the  provisions  of  the 
Privacy  Act  allowing  amendment  of 
records,  and  such  exemption  is  claimed 
under  §  297.304  of  this  part; 

(2)  The  information  submitted  by  the 
data  subject  is  not  accurate,  relevant,  or 
of  sufficient  probative  value; 

(3)  The  amendment  would  violate  an 
enacted  statute  or  regulation; 

(4)  The  individual  refuses  to  provide 
information  which  is  necessary  to 
process  the  request  to  amend  the  record; 
or 

(5)  The  record  for  which  amendment 
is  requested  is  a  record  presented  in  a 
judicial  or  quasi-judicial  proceeding,  or 
maintained  in  anticipation  of  being  used 
in  a  judicial  or  quasi-judicial  proceeding, 
when  such  record  is  or  will  become 
available  to  the  individual  under  that 
proceeding  and  may  be  contested  during 
the  course  of  that  proceeding. 

§  297.308  Response  to  request  for 
administrative  review  of  denial  of  request 
for  amendment 

(a)  The  Office  shall  respond  in  writing 
within  ten  working  days  to  each  request 
for  administratiW  review  of  a  denial  of 
amendment.  If  a  decision  cannot  be 
made  within  the  ten  day  period,  an 
acknowledgement  letter  will  be  sent 
within  that  time  explaining  the  delay 
and  furnishing  an  expected  date  for  the 
decision.  A  decision  on  the  request  must 
be  made  within  thirty  working  days 
after  receipt  of  the  request.  Only  for 
good  cause  shown,  and  at  the  discretion 
of  the  responsible  OPM  ofiicial,  can  this 
time  limit  be  extended.  Any  extension 
requires  written  notification  to  the 
requester  explaining  the  reason  for  the 
extension  and  furnishing  a  new 
expected  date  for  the  decision. 
Generally,  such  extension  shall  be  for 
no  more  than  an  additional  thirty 
working  days. 

(b)  The  requester  shall  be  notified  in 
writing  of  the  Office’s  decision,  and  the 
responsible  official  shall: 

(1)  Grant  the  requested  amendment  in 
its  entirety  and  notify  the  requester  of 


all  action  taken  to  effect  the  amendment 
and  to  notify  prior  recipients  of  the 
record,  (see  §  297.306(c]  for  actions 
required);  or 

(2)  Uphold  the  decision  not  to  amend 
the  record  as  requested  and  inform  the 
requester  of: 

(i)  the  basis  for  the  decision; 

(ii)  the  name  and  position  title  of  the 
official  responsible  for  the  decision; 

(iii)  the  requester’s  right  to  file  a 
concise  statement  of  disagreement  with 
the  decision  and  the  record  contents  as 
well; 

(iv)  the  Office's  or  the  agency’s  right, 
where  appropriate,  to  attach  the 
decision  notice  to  the  concise  statement 
of  disagreement;  and 

(v)  the  procedures  whereby  the 
requester  may  seek  judicial  review  of 
the  decision;  or(3)  Grant  the  requested 
amendment  in  part,  and  for  that  part 
granted,  inform  the  requester  as 
prescribed  in  paragraph  (b)(1)  of  this 
section.  For  that  part  denied,  inform  the 
requester  as  prescribed  in  paragraph 
(b)(2)  of  this  section. 

(c)  The  system  manager  or  designee 
who  issued  the  initial  denial  decision  is 
responsible  for  providing  the  record 
which  was  the  subject  of  the 
amendment  request,  and  must  otherwise 
cooperate  with  the  reviewing  official. 

Subpart  D— Requirements  for 
Recordkeeping  Under  the  Privacy  Act 

§  297.401  Responsibility  for  systems  of 
records. 

(a)  The  Office  is  responsible  for  the 
types  of  systems  of  records  as  shown  in 
§  297.101  of  this  part. 

(b)  The  Office  shall  be  responsible  for 
publishing  the  annual  Federal  Register 
notice  of  systems  of  records  that  will 
prescribe  procediires  for  processing 
Privacy  Act  requests,  and  for  issuing 
regulations  for  these  systems.  The  Office 
also  shall  be  responsible  for  all 
recordkeeping  requirements  prescribed 
in  this  subpart  except  for  initial  requests 
for  access  and  amendment  and  for 
preparation  and  submission  of  the 
annual  report  for  the  Government-wide 
systems  of  records  that  agencies 
maintain. 

(c)  Agencies  shall  be  responsible  for 
processing  initial  requests  for  access 
and  amendment  for  those  Government- 
wide  system  of  records  identified  as 
OPM/GOVT  in  the  annual  publication 
of  system  notices.  When  an  agency 
denies  access  to  or  amendment  of 
records  in  one  of  these  Government- 
wide  systems  of  records,  the  Office  is 
solely  responsible  for  any 
administrative  review  of  that  decision. 


(d)  Agencies  shall  include  in  their 
annual  reports,  in  addition  to  that 
information  required  by  the  Office  of 
Management  and  Budget  dealing  with 
thei^  own  systems  of  records,  the 
information  descriptive  of  its  activities 
under  the  Privacy  Act  on  the  portions  of 
the  Government-wide  systems  of 
personnel  records  they  maintain. 

§  297.402  Responsibility  for  litigation 
concerning  the  regulations. 

In  any  litigation  action  arising  out  of 
the  Privacy  Act.  where  it  is  alleged  that 
an  agency  is  in  violation  of  the  Act 
because  of  its  adherence  to  the 
regulations  prescribed  in  this  part,  the 
Office  and  not  the  agency  shall  respond 
for  the  Government. 

§  297.403  Publication  of  annual  notices. 

(a)  The  Office  will  publish  annually  in 
the  Federal  Register,  in  the  format 
prescribed  by  the  General  Services 
Administration,  a  notice  describing  the 
systems  of  records  for  which  it  is 
responsible.  These  include  both  the 
Government-wide  systems  and  the  OPM 
INTERNAL  or  CENTRAL  systems  listed 
in  FPM  Chapter  297.  The  notice  will 
contain: 

(1)  The  name  and  location(s)  of  the 
system: 

(2)  The  categories  of  individuals  on 
whom  records  are  maintained  in  the 
system: 

(3)  The  categories  of  records 
maintained  in  the  system; 

(4)  Each  routine  use  of  the  records 
contained  in  the  system,  including  the 
categories  of  users  and  purposes  of  such 
uses; 

(5)  The  policies  and  practices 
regarding  storage,  retrievability,  access 
controls,  retention,  and  disposal  of  the 
records; 

(6)  The  position  title  and  business 
address  of  the  OPM  official(s) 
responsible  for  the  system  of  records; 

(7)  The  procedures  an  individual  must 
follow  to  be  notified  if  a  system  of 
personnel  records  contains  a  record 
about  the  individual; 

(8)  The  procedures  an  individual  must 
follow  to  gain  access  to  a  record  about 
the  individual  in  a  system  of  records, 
and  the  procedures  for  amending  its 
content; 

(9)  The  categories  of  sources  of 
records  in  the  system;  and 

(10)  Any  exemptions  ft*om  Privacy  Act 
requirements  which  are  claimed  for  the 
system. 

(b)  In  publishing  annual  notices  in  the 
Federal  Register  for  systems  of 
personnel  records  for  which  they  are 
responsible,  agencies  shall  not  publish 
system  notices  for  any  records  which 
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are  included  in  the  Office’s  Government- 
wide  systems  of  personnel  records. 
Agencies  may  publish  notices 
referencing  the  0PM  Government-wide 
notices,  which  indicate  the  geographical 
locations  for  these  records  and  the 
agency  official(s]  designated  to  handle 
requests  for  access  or  amendment. 

§  297.404  Reports  on  changes  to  systems 
of  records. 

(a)  The  Office  shall  provide  to 
Congress  and  the  Office  of  Management 
and  Budget,  advance  notice  of  any 
proposal  to  establish  or  alter  any  0PM 
system  of  personnel  records.  This  report 
will  be  submitted  in  accordance  with 
guidelines  provided  by  the  Office  of 
Management  and  Budget. 

(b)  Agencies  shall  propose  any 
changes  to  the  Office’s  Government¬ 
wide  systems  or  systems  notices  to  the 
Assistant  Director  for  Agency 
Compliance  and  Evaluation,  Office  of 
Personnel  Management,  1900  E  Street, 
NW.,  Washington,  D.C.  20415. 

§297.405  Penalties. 

(a)  The  Privacy  Act  provides  that,  if 
an  officer  or  employee  of  the  Office  or 
any  agency  willfully  maintains  a  system 
of  personnel  records  without  meeting 
the  notice  requirements  of  this  part,  that 
individual  may  be  guilty  of  a 
misdemeanor  and  fined  not  more  than 
$5,000. 

(b)  Whenever  an  agency  or  an  0PM 
official  fails  to  adhere  to  ^e 
requirements  of  this  part,  and  that 
failure  adversely  affects  an  individual, 
the  individual  may  bring  a  civil  action 
against  the  agency  or  the  OfTice  in  the 
district  court  of  the  United  States  either 
in  which  the  complainant  resides,  has 
his  or  her  principal  place  of  business, 
where  the  agency  records  are  situated, 
or  in  the  District  of  Columbia. 

§  297.406  Changing  or  adding  routine 
uses. 

(a)  Whenever  a  new  routine  use,  or 
substantive  change  in  an  existing 
routine  use,  is  proposed  for  one  of  the 
,  systems  of  personnel  records  for  which 
the  Office  has  published  the  system 
notice,  0PM  will  publish  in  the  Federal 
Register,  in  accordance  with  5  U.S.C. 
552a(e)(ll),  a  notice  of  intention  to 
establish  a  new  or  revised  routine  use. 
The  notice  will  invite  public  comment 
thereon  and  shall  contain  the  following 
information: 

(1)  The  name  of  the  system  of 
personnel  records  for  which  the  new  or 
revised  routine  use  is  to  be  established; 

(2)  The  authority  for  maintaining  the 
system  of  personnel  records; 


(3)  *1110  categories  of  records 
maintained  in  the  system; 

(4)  'The  proposed  new  or  revised 
routine  use  or  uses; 

(5)  The  purpose  of  the  new  or  revised 
routine  use  or  uses;  and 

(6)  The  categories  of  recipients  for 
each  use. 

'This  notice  may  be  published  at  any 
time,  but  not  less  than  30  days  prior  to 
the  next  annual  publication  of  notices. 

(b)  Agency  requests  for  additional 
routine  uses  for  one  of  the  Government- 
wide  systems  of  personnel  records  must 
be  sent  to: 

Assistant  Director  for  Agency  Compliance 
and  Evaluation,  Office  of  Personnel 
Management,  1900  E  Street,  N.W., 
Washington,  D.C.  20415. 

(c)  In  publishing  new  or  revised 
routine  uses  in  the  Federal  Register,  for 
systems  of  personnel  records  for  which 
they  are  responsible,  agencies  may  not 
unilaterally  establish  any  routine  uses 
for  records  in  OPM’s  Government-wide 
systems  of  personnel  records  in  addition 
to  those  published  in  the  OPM  notices 
for  these  systems.  'The  Civil  Service 
Reform  Act,  Pub.  L  95-454,  requires 
OPM  to  review  agencies’  personnel 
policies  and  practices  to  ensure  a  civil 
service  free  from  prohibited  personnel 
practices  and  operating  on  legally 
mandated  merit  system  principles.  To 
facilitate  these  reviews  of  agen^ 
practices,  agencies  shall  list  OPM 
officials  as  routine  users  for  appropriate 
agency  internal  personnel  record 
systems. 

§297.407  Providing  Privacy  Act 
Statements. 

Agencies  shall  ensure  that  individuals 
from  whom  information  is  collected 
about  themselves,  when  the  information 
is  to  be  maintained  in  an  OPM 
Government-wide  system  of  records,  are 
informed  of  the  authority  and  reasons 
for  requesting  the  information,  how  it 
may  be  used,  and  what  the 
consequences  are,  if  any,  of  not 
providing  the  information.  As  a 
minimum,  the  individual  should  be  given 
the  following  information  in  language 
which  is  explicit  and  easily  understood 
and  not  so  lengthy  as  to  deter  an 
individual  from  reading  it: 

(a)  Cite  the  specific  statute  or 
Executive  Order,  including  a  brief  title 
or  subject,  which  authorizes  the  agency 
to  collect  the  personal  information  it  is 
requesting.  Inform  the  individual 
whether  or  not  a  response  is  mandatory 
or  voluntary  and  any  possible 
consequences  of  failing  to  respond; 

(b)  Cite  the  principal  purpose(s)  for 
which  the  information  will  be  used  by 
the  agency  which  maintains  it;  and 


(c)  Cite  the  probable  routine  uses  for 
which  the  information  may  be 
employed.  This  may  be  a  summary  of 
the  information  published  in  the  system 
notices. 

§  297.408  Annual  Reports. 

(a)  By  April  30th  of  each  year,  the 
Office  will  submit  to  the  Office  of 
Management  of  Budget,  a  report 
concerning  activities  under  the  Privacy 
Act  of  1974  as  they  relate  to  OPM 
systems  of  personnel  records  for  the 
preceding  year. 

(b)  To  the  extent  that  agencies  have 
physical  custody  of  records  in  the 
Office’s  Government-wide  systems  of 
personnel  records,  and  have  the 
authority  in  some  instances  to  grant 
access  to  and  amend  these  records, 
agencies  will  include  in  their  annual 
report  to  OMB,  their  Privacy  Act 
activities  involving  these  records  as 
outlined  in  §  297.401(d)  of  this  subpart. 

§  297.409  Annual  notice  to  employees. 

Agencies  must  provide,  at  the 
individual’s  request,  and  opportunity  for 
an  individual  to  review  automated  and 
manual  personnel  records  that  are 
maintained  concerning  the  individual 
and  that  have  the  potential  of  being 
used  in  making  a  determination  about 
the  individual  or  being  disclosed  under 
routine  uses  outside  the  agency. 
Agencies,  at  least  annually,  must 
announce  this  opportunity  by  a  notice  to 
all  employees. 

Subpart  E— Disclosures  From  Systems 
of  Records 

§  297.501  Restrictions  on  disclosure  of  a 
deceased  data  subject’s  record. 

Whenever  a  specific  request  is  made 
for  access  to  the  record  of  a  deceased 
data  subject,  the  information  requested 
will  be  disclosed  unless  it  pertains  to 
someone  other  than  the  data  subject  and 
disclosure  would  be  considered  to  be  a 
clearly  unwarranted  invasion  of  the 
living  person’s  privacy  or  can  otherwise 
be  legally  withheld. 

§  297.502  General  written  consent 
requirement. 

'The  Office  or  agency  is  prohibited 
from  disclosing  a  record,  from  a  system 
of  records  without  obtaining  the  prior 
written  consent  of  the  data  subject, 
except  as  provided  below. 

§  297.503  Disclosures  permitted  without 
prior  written  consent  of  the  data  subject. 

Section  297.213  of  this  part  described 
conditions  under  which  disclosures  of 
records  could  be  made  to  parties  other 
than  the  data  subject.  Among  those 
conditions,  §  297.213(e)  refers  to  the 
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(b)(1)  through  (b)(ll)  provisions  of  the 
Privacy  Act  (5  U.S.C.  552a).  These 
provisions  are  shown  below  and  allow 
disclosure  of  records  without  the  prior 
written  consent  of  the  data  subject.  The 
OHice  and  agencies  are  permitted  to 
disclose  information  from  a  system  of 
records  withot  the  prior  consent  of  the 
date  subject,  whenever  such  disclosure 
is: 

(a)  To  those  officers  and  employees  of 
the  agency  which  maintain  the  record 
and  who  have  a  need  for  the  record  in 
the  performance  of  their  duties  (includes 
disclosure  of  records  to  OPM  officials 
from  any  Government-wide  system 
maintained  by  agencies  for  the  OfHce. 
e.g.,  disclosure  of  Official  Personnel 
Folders); 

(b)  Required  under  the  Freedom  of 
Information  Act  (5  U.S.C.  552); 

(c)  Permitted  by  a  routine  use  that  has 
been  published  in  the  Federal  Register; 

(d)  To  the  Bureau  of  the  Census  for 
purposes  of  planning  or  carrying  out  a 
Census  or  survey  or  related  activity 
pursuant  to  the  provisions  of  title  13; 

(e)  To  a  recipient  who  has  provided 
the  Office  or  an  agency  with  advance 
adequate  written  assurance  that  the 
record  will  be  used  solely  as  a  statistical 
research  or  reporting  record,  and  the 
record  is  to  be  transferred  in  a  form  that 
is  not  individually  identifiable. 
Assurance  includes: 

(1)  a  statement  of  the  purpose  for 
requesting  the  records;  and 

(2)  certiHcation  that  the  records  will 
be  used  only  for  statistical  purposes; 

(f)  To  the  National  Archives  of  the 
United  States  as  a  record  which  has 
sufficient  historical  or  other  value  to 
warrant  its  evaluation  by  the 
Administrator  of  General  Services  or  his 
designee  to  determine  whether  the 
record  has  such  value; 

(g)  To  another  agency  or  to  an 
instrumentality  of  any  governmental 
jurisdiction  within  or  under  the  control 
of  the  United  States  for  a  civil  or 
criminal  law  enforcement  activity  if  the 
activity  is  authorized  by  law,  and  if  the 
head  of  the  agency  or  instrumentality 
has  made  a  written  request  to  the 
agency  which  maintains  the  record 
specifying  the  particular  portion  desired 
and  the  law  enforcement  activity  for 
which  the  record  is  sought; 

(h)  To  a  person  pursuant  to  a  showing 
of  compelling  circumstances  affecting 
the  health  and  safety  of  an  individual 
(not  necessarily  the  data  subject).  Upon 
such  disclosure,  the  data  subject  must 
be  notified  in  writing  of  the  disclosure. 
This  requirement  is  met  when 
notification  is  transmitted  to  the  last 
known  address  of  the  data  subject; 


(i)  To  either  House  of  Congress,  or  to 

a  committee  or  subcommittee  (joint  or  of 
either  House)  to  the  extent  that  the 
subject  matter  falls  within  the 
jursidiction  of  the  committee  or 
subcommittee; 

(j)  To  the  Comptroller  General,  or  any 
authorized  representative  of  that  office 
in  the  course  of  the  performance  of  the 
duties  of  the  General  Accounting  Office; 
or 

(k)  Pursuant  to  the  order  of  a  court  of 
competent  jurisdiction,  as  dehned  in 

§  297.504  of  this  part. 

§  297.504  Disclosure  pursuant  to 
compulsory  legal  process. 

(a)  The  O^ice  or  agency  may  disclose, 
without  prior  consent  of  the  data 
subject,  specified  information  from  a 
system  of  records  whenever  such 
disclosure  is  pursuant  to  an  order  issued 
by  a  court  of  competent  jurisdiction,  an 
administrative  body  of  competent 
jurisdiction.  Grand  Jury,  or  quasi¬ 
judicial  agency.  For  purposes  of  this 
subpart,  a  court  of  competent 
jurisdiction  includes  the  judicial  system 
of  a  state,  tenritory,  or  possession  of  the 
United  States. 

(b)  Notice  of  the  order  shall  be 
provided  as  soon  as  practicable  after 
service  of  the  order  and  shall  be  mailed 
to  the  last  known  address  of  the 
individual  and  state  the  name  and 
number  of  the  case  or  proceeding,  and 
the  nature  of  the  information  sought. 

(c)  Before  complying  or  refusing  to 
comply  with  the  order,  an  official  with 
authority  to  disclose  records  under  this 
subpart  will  consult  legal  counsel  to 
ensure  that  the  response  is  appropriate. 

§  297.505  Disclosure  pursuant  to  a 
subpoena. 

(a)  The  Office  or  agency  may  disclose, 
without  prior  consent  of  the  individual, 
specified  information  from  a  system  of 
records  whenever  such  disclosure  is 
pursuant  to  subponea  issued  in ' 
connection  with  a  judicial  or 
administrative  proceeding. 

(b)  Before  responding  to  a  subpoena, 
an  official  with  authority  to  disclose 
records  under  this  part,  will  consult,  as 
appropriate,  with  legal  counsel  to  ensure 
that: 

(1)  The  requested  materials  are  not 
privileged  and  are  relevant  to  the 
subject  matter  of  the  related  judicial  or 
adminstrative  proceeding; 

(2)  Motion  is  made  to  quash  or  modify 
a  subpoena  that  is  unreasonable  or 
oppressive; 

(3)  Motion  is  made  for  a  protective 
order  where  necessary  to  restrict  the  use 
or  disclosure  of  any  information 
furnished  for  purposes  other  than  those 


of  the  judicial  or  administrative 
proceeding;  or 

(4)  Request  for  an  extension,  if 
needed,  of  the  time  allowed  for  response 
is  made. 

(c)  If  a  subpoena  for  production  of 
documents  requests  appearance  of  an 
agency  employee,  the  reponse  shall  be 
to  furnish  cer^ed  copies  of  the 
appropriate  records  to  the  reqtiesting 
party.  In  no  event  will  origin^ 
documents  be  released  h-om  the 
physical  control  of  a  responsible  office 
or  agency  employee. 

(d)  If  oral  testimony  is  sought  by  the 
subpoena,  an  explanation  by  the  party 
seeking  the  testimony  which  sets  forth 
the  testimony  desiredL  must  be 
furnished.  The  employee  or  former 
employee  of  the  office  who  has  been 
subpoenaed  to  provide  material  or 
information  shall  consult  with  legal 
counsel  to  determine  the  matters  about 
which  the  employee  may  properly 
testify. 

(e)  In  all  situations  concerning  a 
subpoena  or  other  demand  for  an 
employee  of  the  Office  or  agency  to 
produce  any  material  or  testimony 
relating  to  information  contained  in  the 
files  of  the  office  or  agency  acquired  as 
part  of  the  employee’s  performance  of 
his  or  her  official  duties,  the  employee 
shall  not  disclose  the  information 
without  prior  approval  of  the 
appropriate  Office  or  agency  official. 

(f)  If  it  is  decided  that  the  information 
or  material  should  not  be  provided,  the 
employee  or  former  employee 
subpoenaed  shall  respectfully  decline  to 
comply  with  the  demand  on  the  basis  of 
instructions  from  the  appropiiate  office 
or  agency  official. 

(g)  When  subpoenaed  records 
concerning  a  non-party  are  subject  to 
the  Privacy  Act  die  disclosing  official  of 
the  Office  or  agency  shall  be  responsible 
for  notifying  the  individual  of  the 
subpoena's  issuance.  Notice  shall  be 
mailed  to  the  last  known  address  of  the 
individual  and  state  the  date  the 
subpoena  is  returnable,  the  name  and 
number  of  the  case  or  i»*oceeding,  and 
the  nature  of  the  information  sought. 
Notice  shall  be  provided  as  soon  as 
practicable  after  service  of  the 
subpoena. 

§  297.506  Accounting  of  disclosure. 

(a)  Whenever  an  accounting  of 
disclosure  is  required,  as  stated  in 
§  297.214  of  this  part,  the  accounting 
shall  include: 

(1)  The  description  of  the  record 
disclosed: 

(2)  The  name,  position  title,  and 
address  of  the  person  to  whom  the 
disclosure  was  made; 
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(3)  The  method  and  purpose  of 
disclosure; 

(4)  The  name  and  position  title  of  the 
person  making  the  disclosure:  and 

(5)  The  date  of  the  disclosure  of  the 
record. 

(b)  The  Office  or  agency  must  record 
the  accounting  of  disclosures  and  must 
retain  this  accounting  for  at  least  five 
years  or  the  life  of  the  record,  whichever 
is  longer.  This  accounting  of  disclosures 
may  be  maintained  either  in  the  record 
itself  or  elsewhere,  and  must  be  in  a 
manner  that  permits  an  accurate  and 
complete  response  to  any  proper  request 
for  an  accounting  of  all  disclosures 
made. 

(c)  Except  for  disclosures  made  under 
5  U.S.C.  552a(b)(7)  for  law  enforcement 
purposes,  or  disclosures  from  Office 
systems  of  personnel  records  for  which  ' 
an  exemption  from  5  U.S.C.  552a(c)(3) 
has  been  claimed,  the  accounting  of 
disclosures  is  available  to  the  data 
subject  on  request. 

(d)  For  purposes  of  this  subpart,  the 
system  of  accounting  of  disclosures  is 
not  a  system  of  records  as  defined  in 
this  part  and  no  accounting  need  be 
maintained  for  disclosures  of  the 
accounting  of  disclosures. 

§297.507  Penalties. 

(a)  Whenever  the  Office  or  agency 
fails  to  comply  with  any  provision  of 
this  subpart  in  such  a  way  as  to  have  an 
adverse  effect  on  a  data  subject,  that 
data  subject  may  bring  civil  action 
against  the  Office  or  agency. 

(b)  Whenever  an  Office  or  agency 
employee  knowingly  and  willfully 
makes  a  disclosure  to  any  person  or 
agency  not  entitled  to  receive  it,  that 
individual  may  be  guilty  of  a 
misdemeanor  and  fined  not  more  than 
$5,000. 

(c)  Whenever  a  requester,  or  an  Office 
or  agency  employee  knowingly  and 
willfully  requests  or  obtains  any  record 
concerning  an  individual  from  an  agency 
under  false  pretenses,  that  individual 
may  be  guilty  of  a  misdemeanor  and 
fined  not  more  than  $5,000. 
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